Typically SSH TCP port 22 exposed to everyone on the Internet. As a result, many bots and attackers try random passwords/users to login into your server. OpenSSH server and the client itself is pretty secure, but like everything else, it can be cracked with brute-force attacks. Here is a sample message from my server:
You can protect your ssh and other services using Fail2ban security application that bans IP address after several unsuccessful ssh login attempts. This page shows how to install and configure Fail2ban on a CentOS 8 Linux server.
How to install Fail2Ban on CentOS 8
The procedure to set up and configure Fail2ban to secure your server is as follows:
- Log in to your CentOS 8 server using ssh
- Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
- Install Fail2Ban, run: sudo yum install fail2ban
- Configure Fail2ban
- Enable and start Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban
Let us see all commands and options in details.
Where to find failed ssh login attempts
See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure
Sample outputs:
Sep 26 10:08:10 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10:08:13 localhost sshd[16031]: Failed password for root from 49.88.112.90 port 15595 ssh2 Sep 26 10:13:19 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:13:22 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:13:26 localhost sshd[16039]: Failed password for root from 222.186.52.89 port 58696 ssh2 Sep 26 10:16:14 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:16:16 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:16:19 localhost sshd[17218]: Failed password for root from 49.88.112.80 port 41089 ssh2 Sep 26 10:19:14 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:19:17 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:19:19 localhost sshd[17226]: Failed password for root from 153.36.236.35 port 44787 ssh2 Sep 26 10:22:06 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10:22:08 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2 Sep 26 10:22:11 localhost sshd[17260]: Failed password for root from 222.186.30.165 port 22558 ssh2 |
Protect SSH With Fail2Ban on CentOS 8
First enable and install EPEL Repo on CentOS 8, run:
sudo yum update
sudo yum install epel-release
sudo yum update
Install Fail2ban on CentOS 8
Since you enabled ELEP repo, we can install Fail2ban as follows using the yum command:
sudo yum install fail2ban
It is time to use the systemctl command to enable the fail2ban protection service at boot time, run:
sudo systemctl enable fail2ban
Sample outputs:
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service ? /usr/lib/systemd/system/fail2ban.service.
Configure Fail2ban settings
The /etc/fail2ban/jail.local file overrides defaults set in /etc/fail2ban/jail.conf file. Therefore, create or edit the jail.local file using a text editor such as vi/vim or nano/emacs:
sudo vi /etc/fail2ban/jail.local
Update/append as follows:
[DEFAULT] # Ban IP/hosts for 24 hour ( 24h*3600s = 86400s): bantime = 86400 # An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 3 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. For example, add your # static IP address that you always use for login such as 103.1.2.3 #ignoreip = 127.0.0.1/8 ::1 103.1.2.3 # Call iptables to ban IP address banaction = iptables-multiport # Enable sshd protection [sshd] enabled = true |
Save and exit the file. Next start the service, run:
sudo systemctl start fail2ban
sudo systemctl status fail2ban
How do I start/stop/restart fail2ban service?
The syntax is as follows:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban
Finding status of failed and banned IP address
Run the following two commands:
sudo fail2ban-client status
sudo fail2ban-client status sshd
Fail2ban filters
Cd into /etc/fail2ban/filter.d and you can view all filters:
cd /etc/fail2ban/filter.d
ls
For example, show Fail2Ban filter for openssh, run cat command:
sudo cat /etc/fail2ban/filter.d/sshd.conf
OR
sudo vi /etc/fail2ban/filter.d/sshd.conf
Do not edit this file. For customization create a file named /etc/fail2ban/jail.d/sshd.conf.local.
Getting more information about banned IP address and log files
Execute the following commands:
tail -f /var/log/fail2ban.log
grep IP-address /var/log/fail2ban.log
sudo iptables -L -n -v
sudo iptables -L f2b-sshd -n -v
sudo iptables -S | f2b-sshd
Other suggestions
- Disable and deny root user login
- Disable ssh password based login on Linux to increase security
- Enable 2FA for ssh
- See all OpenSSH server best security tips and practices
Conclusion
You just learned how to protect ssh server from brute force attacks by installing and configuring Fail2ban service on CentOS 8 Linux server. Fail2ban has many more options and commands hence I request you to check the official documentation wiki page here.
1 comment
Need more help setting up Fail2ban on a CentOS 8 box? Try our forum thread.