How To Protect SSH With Fail2Ban on CentOS 8

See all Sun CentOS Linux related FAQs
My ssh log file shows too many password failures. Random IP address trying to brute force my sshd server running on CentOS 8 server. How do I protect ssh with fail2ban on CentOS 8 Linux server? How do I install Fail2Ban on CentOS 8?

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux terminal
Category Firewall
OS compatibility AlmaLinux CentOS Fedora RHEL Rocky Stream
Est. reading time 4 minutes
Typically SSH TCP port 22 exposed to everyone on the Internet. As a result, many bots and attackers try random passwords/users to login into your server. OpenSSH server and the client itself is pretty secure, but like everything else, it can be cracked with brute-force attacks. Here is a sample message from my server:
How To Protect SSH With Fail2Ban on CentOS 8 Linux
You can protect your ssh and other services using Fail2ban security application that bans IP address after several unsuccessful ssh login attempts. This page shows how to install and configure Fail2ban on a CentOS 8 Linux server.

WARNING! Updates and releases for CentOS Linux 8 ceased on December 31, 2021. Consequently, you must upgrade from CentOS 8 to CentOS Stream 8. Otherwise, these instructions will not function as CentOS 8 has reached its end of life (EOL).

How to install Fail2Ban on CentOS 8

The procedure to set up and configure Fail2ban to secure your server is as follows:

  1. Log in to your CentOS 8 server using ssh
  2. Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
  3. Install Fail2Ban, run: sudo yum install fail2ban
  4. Configure Fail2ban
  5. Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Let us see all commands and options in details.

Where to find failed ssh login attempts

See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure

Sample outputs:

Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2

Protect SSH With Fail2Ban on CentOS 8

First enable and install EPEL Repo on CentOS 8, run:
sudo yum update
sudo yum install epel-release
sudo yum update

Install Fail2ban on CentOS 8

Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:
sudo yum install fail2ban
Install Fail2ban on CentOS 8
It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:
sudo systemctl enable fail2ban
Sample outputs:

Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.

Configure Fail2ban settings

The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:
sudo vi /etc/fail2ban/jail.local
Update/append as follows:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

Save and exit the file. Next start the service, run:
sudo systemctl start fail2ban
sudo systemctl status fail2ban

Configure Local Fail2Ban Settings

How do I start/stop/restart fail2ban service?

The syntax is as follows:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Finding status of failed and banned IP address

Run the following two commands:
sudo fail2ban-client status
sudo fail2ban-client status sshd

Protect SSH With Fail2Ban on CentOS 8 Linux server

Read log file that contains password failure report and show current status

Fail2ban filters

Cd into /etc/fail2ban/filter.d and you can view all filters:
cd /etc/fail2ban/filter.d
ls

For example, show Fail2Ban filter for openssh, run cat command:
sudo cat /etc/fail2ban/filter.d/sshd.conf
OR
sudo vi /etc/fail2ban/filter.d/sshd.conf
Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.

Getting more information about banned IP address and log files

Execute the following commands:
tail -f /var/log/fail2ban.log
grep IP-address /var/log/fail2ban.log
sudo iptables -L -n -v
sudo iptables -L f2b-sshd -n -v
sudo iptables -S | f2b-sshd

Other suggestions

Conclusion

You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

9 comments… add one
  • Paul C Nov 4, 2020 @ 0:59

    Thank you for this information. Following this clearly written article it only took 5 minutes to get fail2ban up and running and blocking login attempts.

    Thanks!

  • Amurpo Dec 11, 2020 @ 14:27

    Thanks alot

  • kurac Jan 7, 2021 @ 8:57

    Thanks for this tutorial.
    In addition, if you want to check the currently installed versions of fail2ban, you can execute the following commands:

    fail2ban-server --version
    fail2ban-client --version

    This might be helpful to someone.

  • Dismas Feb 8, 2021 @ 3:04

    Hello,

    Is this tutorial using iptables and ip6tables, or nftables?

    I use nftables not iptables / ip6tables anymore, would fail2ban still works For info, I have disabled iptables and ip6tables service in my centos 8.

    However, it appears that fail2ban does not blocking ssh.

    Thank you for the tuts, it would have been nice if you could add if you are using iptables or nftables.

    Best regards,
    Dismas

  • Wortig Feb 23, 2021 @ 21:25

    Very nice tutorial! Thank you! Keep up the good work :)

  • Jimee Mar 22, 2021 @ 14:33

    Thanks!

  • tony Jul 7, 2021 @ 15:50

    these instruction don’t work, the example jail.local config given here makes fail2ban fail to start

  • Mikhail May 13, 2024 @ 11:00

    Was not able to follow this tutorial on Centos 8. Got some errors with some policy library.

    But after update to CentOS 8 Stream – works fine

    So before follow this tutorial better execute this one:

    https://www.cyberciti.biz/howto/upgrade-migrate-from-centos-8-to-centos-stream-conversion/

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.