Searching...

How To Protect SSH - Fail2ban

From Petr Pomajbík 15.05.2017

Linux Basics VPS Firewall

Fail2ban is very useful application for you, if you are managing security of server, or you are running your own vps or physical server. Fail2ban scan log files created on system and has ability to ban ips which found malicious bassed on configuration rules. We can use it for monitoring various system services logs like Apache, SSH and blog the ips which are trying to breach the system’s security.

CentOS 7

Ensure your system is up to date and install the EPEL repository, Then install fail2ban:

yum update && yum install epel-release
yum install fail2ban

Install Sendmail if you additionally would like email support. Sendmail is not required to use Fail2Ban.:

yum install sendmail

Start and enable Fail2ban and, if needed, Sendmail:

systemctl start fail2ban
systemctl enable fail2ban

systemctl start sendmail
systemctl enable sendmail

NOTE: Should you encounter the error that there is “no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock”, create the directory manually:‘mkdir /var/run/fail2ban`

Debian / Ubuntu

Ensure your system is up to date:

apt-get update && apt-get upgrade -y

Install Fail2ban:

apt-get install fail2ban

The service will automatically start. If you would like email support, install Sendmail:

apt-get install sendmail-bin sendmail

Configuring Fail2ban

Fail2ban reads its configuration files so that all .conf files are read first and .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched. The file fail2ban.conf contains the default configuration profile. The default settings will give you a sane and working setup so this is the best place to start. If you want to make any changes, it’s best to do it in a separate file, fail2ban.local, which overrides fail2ban.conf. Rename a copy fail2ban.conf to fail2ban.local.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

If using CentOS or Fedora you will need to change the backend option in jail.local from auto to systemd. This is not necessary on Debian 8 or Ubuntu 16.04, even though both use systemd as well.

{: .file-excerpt}
/etc/fail2ban/jail.local
: ~~~ conf
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.

. . .

backend = systemd
~~~

No jails are enabled by default in CentOS 7. For example, to enable the SSH daemon jail, uncomment the following lines in `jail.local:

{: .file-excerpt}
/etc/fail2ban/jail.local
: ~~~ conf
[sshd]
enabled = true
~~~

IP Whitelisting

Add any IPs to the ignoreip line that you wish Fail2ban to ignore. By default, this command will not ban the localhost. If you work from a single IP address often, it may be beneficial to add it to the ignore list: File excerpt: /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 123.45.67.89

If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command. Replace JAIL with the name of your fail, and 123.45.67.89 with the IP you wish to whitelist:

fail2ban-client set JAIL addignoreip 123.45.67.89

Ban Time and Retry Amount

The bantime, findtime, and maxretry then need to be set. These are the values that define the circumstances and the length of time of a ban. File excerpt: /etc/fail2ban/jail.local

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime" # seconds.
findtime = 600
maxretry = 3

Jail Configuration

Beyond the basic settings address above, jail.local also contains various jail configurations for a number of common services, including SSH. By default, only SSH is enabled. An average jail configuration will resemble the following: File excerpt: /etc/fail2ban/jail.local

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

If you chnage configuration, restart fail2ban service :) For additional information about fail2ban-client commands, see the Fail2ban wiki.

Comments

To submit comment you have to be logged-in