How To Protect SSH With Fail2Ban on CentOS 8

How to install Fail2Ban on CentOS 8

The procedure to set up and configure Fail2ban to secure your server is as follows:

1. Log in to your CentOS 8 server using ssh
2. Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
3. Install Fail2Ban, run: sudo yum install fail2ban
4. Configure Fail2ban
5. Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Let us see all commands and options in details.

Where to find failed ssh login attempts

See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure
Sample outputs:

Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2

Protect SSH With Fail2Ban on CentOS 8

First enable and install EPEL Repo on CentOS 8, run:
sudo yum update
sudo yum install epel-release
sudo yum update

Install Fail2ban on CentOS 8

Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:
sudo yum install fail2ban

It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:
sudo systemctl enable fail2ban
Sample outputs:

Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.

Configure Fail2ban settings

The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:
sudo vi /etc/fail2ban/jail.local
Update/append as follows:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

Save and exit the file. Next start the service, run:
sudo systemctl start fail2ban
sudo systemctl status fail2ban

How do I start/stop/restart fail2ban service?

The syntax is as follows:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Finding status of failed and banned IP address

Run the following two commands:
sudo fail2ban-client status
sudo fail2ban-client status sshd

Read log file that contains password failure report and show current status

Fail2ban filters

Cd into /etc/fail2ban/filter.d and you can view all filters:
cd /etc/fail2ban/filter.d
ls
For example, show Fail2Ban filter for openssh, run cat command:
sudo cat /etc/fail2ban/filter.d/sshd.conf
OR
sudo vi /etc/fail2ban/filter.d/sshd.conf
Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.

Getting more information about banned IP address and log files

Execute the following commands:
tail -f /var/log/fail2ban.log
grep IP-address /var/log/fail2ban.log
sudo iptables -L -n -v
sudo iptables -L f2b-sshd -n -v
sudo iptables -S | f2b-sshd

Other suggestions

• Disable and deny root user login
• Disable ssh password based login on Linux to increase security
• Enable 2FA for ssh
• See all OpenSSH server best security tips and practices

Conclusion

You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page.