How to Protect SSH with Fail2Ban on CentOS 6
Follow these steps to install and configure Fail2Ban to protect your SSH service on CentOS 6:
Step 1: Install Fail2Ban
Fail2Ban is not available by default on CentOS, so you need to start by downloading the EPEL repository:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpmNext, install Fail2Ban using the following command:
yum install fail2banStep 2: Copy the Configuration File
The default Fail2Ban configuration file is located at /etc/fail2ban/jail.conf. However, you should not edit this file directly. Instead, make a local copy:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localAfter copying the file, you can make all of your changes in the jail.local file. Many services that may need protection are already listed in the file, each configured in its own section and turned off by default.
Step 3: Configure Defaults in Jail.Local
Open the jail.local file using a text editor:
vi /etc/fail2ban/jail.localThe first section of the file contains the default settings for Fail2Ban. Below is an example of the default section and how to customize it:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host.
# Fail2Ban will not ban a host which matches an address in this list.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# "findtime" is the number of seconds during which "maxretry" failures are allowed.
findtime = 600
# "maxretry" is the number of failures before a host is banned.
maxretry = 3Here’s what each setting means:
- ignoreip: Add your personal IP address here to whitelist it. This ensures you are not accidentally locked out of your server.
- bantime: The duration (in seconds) a host is banned. Default is 1 hour (3600 seconds).
- findtime: The time period in seconds during which the failed login attempts are tracked. Default is 10 minutes (600 seconds).
- maxretry: The maximum number of failed login attempts before a host is banned. Default is 3.
Step 4 (Optional): Configure SSH Protection
To configure SSH protection, look for the [ssh-iptables] section in the jail.local file. This section should be enabled by default. Here's how it looks:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected]]
logpath = /var/log/secure
maxretry = 5Explanation of each entry:
- enabled: This enables SSH protection. To disable, set it to
false. - filter: Defines the filter file to be used.
sshdrefers to the/etc/fail2ban/filter.d/sshd.conffile. - action: The action that Fail2Ban will take when an IP is banned.
iptablesblocks the IP, andsendmail-whoissends an email notification (if you have a mail server set up). - logpath: The path to the log file that Fail2Ban will monitor for failed login attempts. By default, this is
/var/log/secure. - maxretry: The maximum number of failed login attempts before the IP gets banned. Default is 5.
If you're using a non-standard SSH port, change the port in the action line. For example, if your SSH port is 30000, modify the line like so:
action = iptables[name=SSH, port=30000, protocol=tcp]Step 5: Restart Fail2Ban
After making changes to the configuration, restart the Fail2Ban service to apply the changes:
sudo service fail2ban restartStep 6: Verify Fail2Ban Rules
You can check the active Fail2Ban rules in iptables with the following command:
iptables -L