Protect SSH From Brute-Force Attacks With Fail2Ban on CentOS / RHEL

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. In this tutorial, we are going to set-up Fail2Ban on CentOS 7 server. Let’s follow the steps:

Table of Contents

  1. Install Fail2ban
  2. Enable & Run Fail2ban
  3. Configure Settings
  4. Add a Jail to Protect SSH
  5. Restart and Monitor Fail2ban
  6. Manually Ban & Unban IP

Step 1 : Install Fail2ban

The Fail2ban package isn’t available on CentOS official repository. It is under EPEL project. That’s why we have to install EPEL repository first.

Install EPEL repository:

sudo yum install epel-release

Now we are able to install Fail2ban package. Let’s install by this command:

sudo yum install fail2ban

Step 2 : Enable & Run Fail2ban

We have to enable the Fail2ban service using this:

sudo systemctl enable fail2ban

Now start the Fail2ban service:

sudo systemctl start fail2ban

Step 3 : Configure Settings

The default configuration file path is:

/etc/fail2ban/jail.conf

The other files can be located at:

/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.d/*.local

It’s good way to set settings in the main jail.conf. This file can be modified on package upgrades. Let’s make a copy of the conf file. We will set settings on that file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the jail.local using your favorite editor. I’m opening with nano.

sudo nano /etc/fail2ban/jail.local

You’ll find many settings. The[DEFAULT]section’s settings will be executed first. Let’s set default ban-time to 1 hour.

jail.loacl
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

[sshd]
enabled = false # we will add a seprate config for sshd

Step 4 : Add a Jail to Protect SSH

We can set this configuration in the global config file. But it’s better to keep separate. You can set this config in the jail.local file too.

Let’s create a jail file called sshd.local in /etc/fail2ban/jail.d directory.

sudo nano /etc/fail2ban/jail.d/sshd.local

Now paste this configuration:

sshd.loacl
[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600

Step 5 : Restart and Monitor Fail2ban

Type this command to restart Fail2ban service:

sudo systemctl restart fail2ban

* Note: We need to restart the Fail2ban service after changing any settings.

Let’s check the status:

sudo fail2ban-client status

You’ll see the output like:

Status
|- Number of jail:      1
`- Jail list:   sshd

To see the status of a single jail, you’ve to run command like this:

sudo fail2ban-client status jail_name

To get more details of the status, we have run this command:

sudo fail2ban-client status sshd

And check Fail2ban’s log using this:

sudo tail -F /var/log/fail2ban.log

Step 6 : Manually Ban & Unban IP

We can also ban and unban manually. To ban, we have run command like:

sudo fail2ban-client set JAIL banip IPADDRESS

To unban, we need to run command like:

sudo fail2ban-client set JAIL unbanip IPADDRESS
That’s all.Thanks for reading. ?

Software Engineer | Ethical Hacker & Cybersecurity...

Md Obydullah is a software engineer and full stack developer specialist at Laravel, Django, Vue.js, Node.js, Android, Linux Server, and Ethichal Hacking.