How To Protect SSH With Fail2Ban on CentOS 8

last updated in Categories , , ,

My ssh log file shows too many password failures. Random IP address trying to brute force my sshd server running on CentOS 8 server. How do I protect ssh with fail2ban on CentOS 8 Linux server? How do I install Fail2Ban on CentOS 8?

Typically SSH TCP port 22 exposed to everyone on the Internet. As a result, many bots and attackers try random passwords/users to login into your server. OpenSSH server and the client itself is pretty secure, but like everything else, it can be cracked with brute-force attacks. Here is a sample message from my server:
How To Protect SSH With Fail2Ban on CentOS 8 Linux
You can protect your ssh and other services using Fail2ban security application that bans IP address after several unsuccessful ssh login attempts. This page shows how to install and configure Fail2ban on a CentOS 8 Linux server.

How to install Fail2Ban on CentOS 8

The procedure to set up and configure Fail2ban to secure your server is as follows:

  1. Log in to your CentOS 8 server using ssh
  2. Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
  3. Install Fail2Ban, run: sudo yum install fail2ban
  4. Configure Fail2ban
  5. Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Let us see all commands and options in details.

Where to find failed ssh login attempts

See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure

Sample outputs:

Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2

Protect SSH With Fail2Ban on CentOS 8

First enable and install EPEL Repo on CentOS 8, run:
sudo yum update
sudo yum install epel-release
sudo yum update

Install Fail2ban on CentOS 8

Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:
sudo yum install fail2ban
Install Fail2ban on CentOS 8
It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:
sudo systemctl enable fail2ban
Sample outputs:

Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.

Configure Fail2ban settings

The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:
sudo vi /etc/fail2ban/jail.local
Update/append as follows:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

Save and exit the file. Next start the service, run:
sudo systemctl start fail2ban
sudo systemctl status fail2ban

Configure Local Fail2Ban Settings

How do I start/stop/restart fail2ban service?

The syntax is as follows:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Finding status of failed and banned IP address

Run the following two commands:
sudo fail2ban-client status
sudo fail2ban-client status sshd

Protect SSH With Fail2Ban on CentOS 8 Linux server
Read log file that contains password failure report and show current status

Fail2ban filters

Cd into /etc/fail2ban/filter.d and you can view all filters:
cd /etc/fail2ban/filter.d
ls

For example, show Fail2Ban filter for openssh, run cat command:
sudo cat /etc/fail2ban/filter.d/sshd.conf
OR
sudo vi /etc/fail2ban/filter.d/sshd.conf
Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.

Getting more information about banned IP address and log files

Execute the following commands:
tail -f /var/log/fail2ban.log
grep IP-address /var/log/fail2ban.log
sudo iptables -L -n -v
sudo iptables -L f2b-sshd -n -v
sudo iptables -S | f2b-sshd

Other suggestions

Conclusion

You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page here.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com

Historical Comment Archive

1 comment

    Still, have a question? Get help on our forum!