In this article, we will learn how to install and configure to secure the SSH connection using Fail2ban on CentOS 7, as we all get connected to the servers using the SSH which is secured and SSH will get exposed to the internet to work properly, there may be a risk of being targeted in this way, if we see the logs for these services. We often see the repeated logins using the brute-force attacks.
As the Fail2ban is not available in the official CentOS repository, we need to update and install the package using EPEL project, then we will install fail2ban and enable the fail2ban to start at the system boot time.
# yum update # yum install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: kodeterbuka.beritagar.id * extras: mirrors.nhanhoa.com * updates: mirrors.nhanhoa.com Resolving Dependencies ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: fail2ban noarch 0.9.3-1.el7 epel 9.7 k Installing for dependencies: ebtables x86_64 2.0.10-13.el7 base 122 k fail2ban-firewalld noarch 0.9.3-1.el7 epel 9.9 k fail2ban-sendmail noarch 0.9.3-1.el7 epel 13 k fail2ban-server noarch 0.9.3-1.el7 epel 395 k firewalld noarch 0.3.9-14.el7 base 476 k ipset x86_64 6.19-4.el7 base 36 k ipset-libs x86_64 6.19-4.el7 base 46 k libselinux-python x86_64 2.2.2-6.el7 base 247 k python-slip noarch 0.4.0-2.el7 base 30 k python-slip-dbus noarch 0.4.0-2.el7 base 31 k systemd-python x86_64 219-19.el7_2.11 updates 99 k Updating for dependencies: libgudev1 x86_64 219-19.el7_2.11 updates 66 k systemd x86_64 219-19.el7_2.11 updates 5.1 M systemd-libs x86_64 219-19.el7_2.11 updates 358 k systemd-sysv x86_64 219-19.el7_2.11 updates 53 k Transaction Summary ================================================================================ Install 1 Package (+11 Dependent packages) Upgrade ( 4 Dependent packages) Total download size: 7.1 M Is this ok [y/d/N]: y Downloading packages: --> Running transaction check Installed: fail2ban.noarch 0:0.9.3-1.el7 Dependency Installed: ebtables.x86_64 0:2.0.10-13.el7 fail2ban-firewalld.noarch 0:0.9.3-1.el7 fail2ban-sendmail.noarch 0:0.9.3-1.el7 fail2ban-server.noarch 0:0.9.3-1.el7 firewalld.noarch 0:0.3.9-14.el7 ipset.x86_64 0:6.19-4.el7 ipset-libs.x86_64 0:6.19-4.el7 libselinux-python.x86_64 0:2.2.2-6.el7 python-slip.noarch 0:0.4.0-2.el7 python-slip-dbus.noarch 0:0.4.0-2.el7 systemd-python.x86_64 0:219-19.el7_2.11 Dependency Updated: libgudev1.x86_64 0:219-19.el7_2.11 systemd.x86_64 0:219-19.el7_2.11 systemd-libs.x86_64 0:219-19.el7_2.11 systemd-sysv.x86_64 0:219-19.el7_2.11 Complete!
We will now start the fail2ban service and enable them to start at the boot time.
# systemctl start fail2ban # systemctl enable fail2ban
As we have installed the Fail2ban, we need to customize the configuration file to our environment, and fail2ban will have all the configuration files at /etc/fail2ban. We will copy the configuration from jail.com in the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local, below is the command for copying the configuration
# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we will customize the configuration file accordingly.
# vi /etc/fail2ban/jail.local [DEFAULT] # # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more informationignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned to do ssh . bantime = 1200 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Ignoreip − This option is used to set the allowed IPs, the list of IPs should be given with a space separator, this is to set the IP address of yours.
Bantime − This option sets the duration of seconds for which the host is needed for banning the access.
Findtime − This option is used to check the banned list of hosts which will check for the last find time it was banned.
Maxretry − This option is used to set the limit for the no of retries attempted by the host for exceeding the limit where the host is banned.
We will create a new sshd configuration file with the below command and we will add the fail2ban configuration file.
# vi /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 25 bantime = 36000
Enable → This option enables is set to true, to enable the protection, and to deactivate we can set to false. This will check for the sshd configuration, in the /etc/fail2ban/filters.d/sshd.conf
Action → This option is used to define the banned IP address used in the /etc/fail2ban/action.d/firewallcmd–ipset.conf.
Port → This option is used when we change the port of ssh, default port of sshd is 22 so if you have not changed the default port no needed to change this option.
Logpath → This option is used to allow us to store the logs scanned by the fail2ban to store in the specific location.
Maxretry → This option is used to set the max. The limit allowed for failed logins.
Bantime → This option is used to set the duration of the seconds for the host to be banned.
As all the configuration as completed now, we needed to restart the fail2ban services.
# systemctl restart fail2ban
Below is the command used to check the fail2ban status
# fail2ban-client status Status |- Number of jail: 2 `- Jail list: sshd
Below is the command to check the failed attempts for logging into the server using the SSH port.
# cat /var/log/secure | grep ‘Failed password’ Jul 18 16:41:12 htf sshd: Failed password for root from 18.104.22.168 port 23421 ssh2 Jul 18 16:41:15 htf sshd: Failed password for root from 22.214.171.124 port 15286 ssh2 Jul 18 16:41:16 htf sshd: Failed password for root from 126.96.36.199 port 24157 ssh2 Jul 18 16:41:18 htf sshd: Failed password for root from 188.8.131.52 port 24057 ssh2 Jul 18 16:41:19 htf sshd: Failed password for root from 184.108.40.206 port 27286 ssh2 Jul 18 16:41:22 htf sshd: Failed password for root from 220.127.116.11 port 13486 ssh2
If we wanted to remove the IP address from the banned list, the IPADDRESS has to be replaced with the allowed list of IPs which are needed to allow. The name “sshd” is the jail name used in the below example, below is the command used for allowing the IPs.
# fail2ban-client set sshd unbanip IPADDRESS
Example: # fail2ban-client set sshd unbanip 192.168.1.22 # fail2ban-client set sshd unbanip 18.104.22.168
We can troubleshoot the fail2ban logs since the last boot time below is the command to find the logs
# journalctl -b -u fail2ban -- Logs begin at Mon 2016-07-18 08:20:57 EDT, end at Mon 2016-07-18 11:47:19 EDT Jul 18 17:47:19 centos-linux-1.shared systemd: Starting Fail2Ban Service... Jul 18 17:47:19 centos-linux-1.shared fail2ban-client: 2016-07-18 11:47:19 Jul 18 17:47:19 centos-linux-1.shared fail2ban-client: 2016-07-18 11:47:19 Jul 18 17:47:19 centos-linux-1.shared systemd: Started Fail2Ban Service.
With the above configuration and setup we are now able to configure the basic banning policies for the services using the Fail2ban and it is very easy to set up and we can also protect any kind of services to using the fail2ban.