How To Protect SSH With Fail2Ban on CentOS 8

Author: Vivek Gite Last updated: January 7, 2021 4 comments
My ssh log file shows too many password failures. Random IP address trying to brute force my sshd server running on CentOS 8 server. How do I protect ssh with fail2ban on CentOS 8 Linux server? How do I install Fail2Ban on CentOS 8?

Typically SSH TCP port 22 exposed to everyone on the Internet. As a result, many bots and attackers try random passwords/users to login into your server. OpenSSH server and the client itself is pretty secure, but like everything else, it can be cracked with brute-force attacks. Here is a sample message from my server:

You can protect your ssh and other services using Fail2ban security application that bans IP address after several unsuccessful ssh login attempts. This page shows how to install and configure Fail2ban on a CentOS 8 Linux server.

How to install Fail2Ban on CentOS 8

The procedure to set up and configure Fail2ban to secure your server is as follows:

  1. Log in to your CentOS 8 server using ssh
  2. Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
  3. Install Fail2Ban, run: sudo yum install fail2ban
  4. Configure Fail2ban
  5. Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Let us see all commands and options in details.

Where to find failed ssh login attempts

See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure
Sample outputs:

Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2
Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2
Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2
Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2
Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2
Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2

Protect SSH With Fail2Ban on CentOS 8

First enable and install EPEL Repo on CentOS 8, run:
sudo yum update
sudo yum install epel-release
sudo yum update

Install Fail2ban on CentOS 8

Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:
sudo yum install fail2ban

It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:
sudo systemctl enable fail2ban
Sample outputs:

Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.

Configure Fail2ban settings

The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:
sudo vi /etc/fail2ban/jail.local
Update/append as follows:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

Save and exit the file. Next start the service, run:
sudo systemctl start fail2ban
sudo systemctl status fail2ban

How do I start/stop/restart fail2ban service?

The syntax is as follows:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Finding status of failed and banned IP address

Run the following two commands:
sudo fail2ban-client status
sudo fail2ban-client status sshd

Read log file that contains password failure report and show current status

Fail2ban filters

Cd into /etc/fail2ban/filter.d and you can view all filters:
cd /etc/fail2ban/filter.d
ls
For example, show Fail2Ban filter for openssh, run cat command:
sudo cat /etc/fail2ban/filter.d/sshd.conf
OR
sudo vi /etc/fail2ban/filter.d/sshd.conf
Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.

Getting more information about banned IP address and log files

Execute the following commands:
tail -f /var/log/fail2ban.log
grep IP-address /var/log/fail2ban.log
sudo iptables -L -n -v
sudo iptables -L f2b-sshd -n -v
sudo iptables -S | f2b-sshd

Other suggestions

Conclusion

You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page.


🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
Related Tutorials
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • Paul C Nov 4, 2020 @ 0:59

    Thank you for this information. Following this clearly written article it only took 5 minutes to get fail2ban up and running and blocking login attempts.

    Thanks!

    Reply Link
  • Amurpo Dec 11, 2020 @ 14:27

    Thanks alot

    Reply Link
  • kurac Jan 7, 2021 @ 8:57

    Thanks for this tutorial.
    In addition, if you want to check the currently installed versions of fail2ban, you can execute the following commands:

    fail2ban-server --version
    fail2ban-client --version

    This might be helpful to someone.

    Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz

Next FAQ:

Previous FAQ:

🔎 Search this site

FEATURED ARTICLES

Sign up for my newsletter