Introduction to Fail2Ban
By default, a client connects to SSH using port 22. Because this is a well-known port, the default configuration can be vulnerable to brute force attacks. Fail2Ban offers a solution to automatically protect a server from these types of attacks. Fail2Ban runs in background reviewing log files for access attempts. If it detects an IP(s) attacking, it uses iptables to automatically ban the attacking server.
Let’s install Fail2Ban using the EPEL repository –
yum install epel-release yum install fail2ban
Adjust values based on requirements.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
ignoreip: Don’t ban hosts which match an address in this list. Several addresses can be defined using space separator. Write your personal IP on this line.
bantime: The number of seconds that a host is banned.
findtime: A host is banned if it has generated
maxretryduring the last
maxretry: The number of failures before a host get banned.
Configuring Fail2Ban to protect SSH
Create a local configuration file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
Copy the lines below and paste to /etc/fail2ban/jail.local in the “Jail” section
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] # sendmail-whois[name=SSH, dest=root, email@example.com] logpath = /var/log/secure maxretry = 5
enabled: Activate the protection. If you want to turn it off, change the value to false.
filter: By default, it is set to sshd which refers to the file
action: Fail2Ban will ban the IP that matches the filter
/etc/fail2ban/action.d/iptables.conf. If you had changed the SSH port before, change
port=sshto the new port, for example
port=2222. If you are using port 22, you won’t need to change the value.
logpath: The path of the log file used by Fail2Ban.
maxretry: The maximum number of failed login attempts.
Starting Fail2Ban service
Enable Fail2Ban on reboot and start the service:
chkconfig --level 23 fail2ban on service fail2ban start
iptables for rules added by Fail2Ban.
The result will look similar to this output.
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-SSH tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere
How to track failed login attempts
You can use this command to check if your server has had failed login attempts (possible attacks).
cat /var/log/secure | grep 'Failed password'
To view which IPs have been banned, use the following command.
iptables -L -n
To delete an IP address from banned list, run the following command. Change
banned_ip to the IP that you want to unban.
iptables -D f2b-SSH -s banned_ip -j DROP