Most Linux servers offer an SSH login via port 22 for remote administration purposes. While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the Internet to function properly. This comes with some inherent risk and offers a vector of attack for would-be assailants.
Any service that is exposed to the network is a potential target in this way. If you pay attention to application logs for these services, you will often see repeated, systematic login attempts that represent brute-force attacks by users and bots alike.
The most common solution to prevent this kind of attacks is using key-based SSH authentication. The other is move the port to some random high-port. But how if you still need to use password-based SSH authentication on port 22?
A service called Fail2ban can mitigate this problem by creating rules that automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without intervention from you.
In this guide, we'll cover how to install and use Fail2ban on a CentOS 7 server.
Install Fail2ban on CentOS 7
While Fail2ban is not available in the official CentOS package repository, it is packaged for the EPEL project. EPEL, standing for Extra Packages for Enterprise Linux, can be installed with a release package that is available from CentOS:
$ sudo yum install epel-release
It will ask you to proceed with installation.
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Next step is to install the fail2ban:
$ sudo yum install fail2ban
Again, press 'y' and Enter when asked to continue with installation.
Install 1 Package (+12 Dependent packages)
Total download size: 1.5 M
Installed size: 5.4 M
Is this ok [y/d/N]: y
Please note that you might be asked to proceed with importing new GPG key like so:
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <firstname.lastname@example.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
No worries, just press 'y' and Enter. Once the installation has finished, use systemctl to enable the fail2ban service:
$ sudo systemctl enable fail2ban
If you're familiar with CentOS 6, the equivalent command is:
$ sudo chkconfig fail2ban on
Configure SSH Jail
The Fail2ban service keeps its configuration files in the
/etc/fail2ban directory. There, you can find a file with default values called
jail.conf. Since this file may be overwritten by package upgrades, we shouldn't edit it in-place. Instead, we'll write a new file called
sshd.conf under directory
Let's begin by writing a very simple version of
sshd.conf. Open a new file using
vi (or your editor of choice):
$ sudo vi /etc/fail2ban/jail.d/sshd.conf
Paste the following code:
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 3
bantime = 31536000 # One year
Exit and save the new file (in vi/vim, press
Esc to enter command mode, and then continue with
:wq). Now we can restart the
fail2ban service using
$ sudo systemctl start fail2ban
systemctl command should finish without any output. In order to check that the service is running, we can use
$ sudo fail2ban-client status
|- Number of jail: 1
`- Jail list: sshd
I hope that you now know how to install fail2ban on CentOS 7. If you run into any issues or have any feedback feel free to drop a comment below.