I setup a CentOS 7 server recently, that regrettably needs open SSH to the outside world. As I don’t dabble in CentOS that much, I thought I’d write out the instructions for myself and others to install fail2ban. This will block people trying to bruteforce your server with lots of different passwords, and usernames. I had 2650 attempts this morning in 4 hours time, so it was time to get this done.
sudo yum install -y epel-release
As fail2ban is not part of the default CentOS repositories, you need to add the ‘Extra Packages for Enterprise Linux’ package which will automatically add some repositories.
For some (centos) reason this gives some issues with yum. To test, try the following:
yum update
The next is some partial output… just check for ‘404 – Not Found’… like:
https://nl.mirror.babylon.network/epel/7/x86_64/repodata/5fb9b68ae651689bab4b7e0add1152e3d2f4d03643eecb90e6bc856312d6a0a8-primary.sqlite.xz: [Errno 14] HTTPS Error 404 - Not Found
The fix is easy, as such: (I use nano, but vi or vim or whatever editor can be used of course)
nano /etc/yum.repos.d/epel.repo
Now uncomment the ‘baseurl’ lines by removing the # in front of it and comment out the mirrorlist lines by adding a # in front of them. Save and exit the editor. Doing another ‘yum update’ should now no longer have errors.
yum install -y fail2ban
This will install the package. To configure run the following lines:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
This will copy the default configuration and start editing it. In the beginning of this file add: (you can also uncomment it as the same is right in the beginning, but commented out)
[DEFAULT] bantime = 3600 [sshd] enabled=true
You can change the default bantime of 3600 seconds (=1 hour) to anything you like. Now look for a line like “ignoreip = 127.0.0.1/18”, and change it to:
ignoreip = 127.0.0.1/18 myhost.myisp.nl
replace the ‘myhost.myisp.nl’ with the (external) IP address or hostname of the host you’d like to whitelist. This to prevent you being banned in case you mistype your password a few times.
Now that we’ve got the basic setup done, enable it as such:
systemctl enable fail2ban systemctl start fail2ban
Your system should be actively blocking people bruteforcing/trying out your ssh. To check the fail2ban status, run the following:
fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
to check the status of the sshd jail specifically run (banned IP obfuscated on purpose)
fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 21 | `- File list: /var/log/secure `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 120.24.*.*
As you see, the service is merrily blocking attempts. There’s a lot more you can do with besides blocking sshd attempts, or the few commands I’ve shown, but this should help you on your way. Good luck!