Install and Configure fail2ban
fail2ban is a software package that utilizes regular expressions, analyzing service log files and dynamically altering the firewall. We’ll install the necessary software and implement a jail for the sshd service, e-mailing a user each time an IP is banned.
If you opted to change your SSH default port previously, you won’t see much action by this jail implementation. As such, I’m going to temporarily alter my SSH configuration and run the SSH service on port 22 (the default). The reason I’m doing this is to illustrate how much your server will be under attack. Once you’ve gotten tired of seeing the e-mail messages created by blocked IP addresses, you’ll most likely consider changing the SSH service port from the default port 22 to a non-standard port.
- Reverting to standard SSH port
- Place SSH service back to port 22:
[newuser@mail ~]$ sudo nano /etc/ssh/sshd_config
Insert a comment (“#”) in front of the alternate “Port portnumber” line, and remove the comment (“#”) from the “Port 22” line. Save your changes and exit nano.
- Add port 22 rule to firewall:
[newuser@mail ~]$ sudo firewall-cmd --add-service=ssh
The previous step opens port 22 for the currently loaded ruleset. The next step adds port 22 to the ruleset that will get loaded upon a reboot (or restart or reload).
[newuser@mail ~]$ sudo firewall-cmd --permanent --add-service=ssh
- Restart the SSH service
[newuser@mail ~]$ sudo systemctl restart sshd
- Issue a temporary (bantime) block on the firewall for the offending IP
- Perform a whois lookup on the offending IP and send an informative e-mail from and to specified e-mail addresses
Now that we’ve reverted our SSH service back to port 22, attempt to connect via SSH on port 22 – just to be safe before we log out of our alternate port SSH session.
Once we’re back into an SSH shell on the standard port, let’s start by installing the fail2ban packages:
[newuser@mail ~]$ sudo yum install fail2ban
Once installed, we’ll need to start by creating a copy of the configuration file. We’ll edit this copy, ensuring any changes we make aren’t overwritten by a package update.
[newuser@mail ~]$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local [newuser@mail ~]$ sudo nano /etc/fail2ban/jail.local
In this file, we’ll specify a number of values – including how many failed attempts within what time frame will result in a ban of how long for which service… I got really fed up with the number of brute-force hack attempts against the SSH service that I changed the initial 10 minute ban period to 1 year. Five failed SSH log-in attempts within a ten-minute period will result in your IP being banned for a year.
Locate the line that begins “bantime = 600” and change the 600 (ban duration in seconds) to whatever value you like. I chose 31,536,000 (60 seconds x 60 minutes x 24 hours x 365 days = 31,536,000 seconds/year).
Locate the line that begins “findtime = 600” and change the 600 (duration during which exceeding maxretry yields a ban) to whatever value you like. I left the default “600” value.
Locate the line that begins “maxretry = 5” and change the 5 (number of failed attempts within findtime to trigger a ban) to whatever value you like. I left the default “5” value.
Next, locate the JAILS section by searching for the text “[sshd]”. I opted to create my own jail, adding it just beneath the disabled entry for [ssh]:
... [sshd] port = ssh logpath = %(sshd_log)s [ssh-firewallcmd] enabled = true filter = sshd action = firewallcmd-new[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, email@example.com, firstname.lastname@example.org] logpath = /var/log/secure maxretry = 5 [sshd-ddos] ...
I started by defining my jail name as “ssh-firewallcmd”. I wanted to name it something that was indicative not only of the service it was protecting, but the action it was taking as well. I specified that the jail was active (“enabled = true”) and that it should use the regular expressions defined for the SSH service (“filter = sshd”) when analyzing the sshd log (“logpath = /var/log/secure”). Since I don’t specify findtime or bantime values explicitly in this jail, the default values previously assigned will be used.
Therefore, in this example, fail2ban is told to scan /var/log/secure for text matching regular expressions defined in the sshd filter (see /etc/fail2ban/filter.d/sshd.conf). If (maxretry) 5 matches are found within (global definition findtime) 10 minutes, then the actions defined in the “action =” lines above will be executed.
In this example we’re executing two actions:
Exit nano, saving your changes. Finally, restart the fail2ban service:
[newuser@mail ~]$ sudo systemctl restart fail2ban
At this point we’ve installed fail2ban and configured a jail for SSH. Now anytime a user breaches the maxretry value in failed SSH log-in attempts, their IP address will be blocked from accessing port 22 for a year (or until the firewall rules are reloaded, as the ban is not made permanently.) The offending IP will not even be presented a log-in prompt on port 22 until the firewall rule expires or the firewall rules are reloaded.
On to the conclusion!