In this recipe, we will learn how to implement additional security measures for protecting the SSH server with a package called fail2ban
. This is a tool that serves to protect a variety of services including SSH, FTP, SMTP, Apache, and many more against unwanted visitors. It works by reading log files for patterns based on failed login attempts and deals with the offending IP addresses accordingly. Of course, you may have already hardened your SSH server or another service on a direct application level, but it is the purpose of this recipe to show that, when faced with the possibility of Brute Force Attacks, an added layer of protection is always useful.
To complete this recipe, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to download additional packages. In addition to this, it will be assumed that YUM is already configured to download packages from the EPEL repository (see Chapter 4, Managing Packages with YUM).
Fail2ban is not installed by default, and for this reason we will need to invoke the YUM package manager and download the necessary packages:
root
and type the following command:yum install fail2ban-firewalld fail2ban-systemd
vi /etc/fail2ban/jail.local
[DEFAULT] findtime = 900 [sshd] enabled = true
bantime = 3600
maxretry = 5
22
, you need to tell this to fail2ban
as well (replace XXXX
with your port number of choice) otherwise skip this step:port=XXXX
fail2ban
service at boot. To do this, type the following command:systemctl enable fail2ban
systemctl start fail2ban
fail2ban
is designed to monitor users who repeatedly fail to log in correctly on your server, and its main purpose is to mitigate attacks designed to crack passwords and steal user credentials. It works by continuously reading your system's log files, and if this contains a pattern indicating a number of failed attempts, then it will proceed to act against the offending IP address. We all know that servers do not exist in isolation, and by using this tool, within a few minutes, the server will be running with an additional blanket of protection.
So, what did we learn from this experience?
fail2ban
is not available from the standard CentOS repositories, and for this reason your server will need to have access to the EPEL repository. The installation of the fail2ban
packages was very simple; besides the main fail2ban
package, we installed two other packages to integrate it into CentOS 7's new systemd
and firewalld server technologies. Next, for our local customization, we created a new jail.local
file. We started specifying the findtime
parameter for all targets (specified within the [DEFAULT]
section), which is the amount of time a user has when attempting to log in. This value is measured in seconds and implies that, if a user fails to log in within the maximum number of attempts during the designated period, then they are banned. Next, we enabled fail2ban
for the sshd
daemon by adding a [sshd]
section. In this section, we introduced the bantime
value, which represents the total number of seconds that a host will be blocked from accessing the server if they are found to be in violation of the rules. Based on this, you were then asked to determine the maximum number of login attempts before blocking. Also, if you have changed your service's standard listening port, you have to define the custom port using the port
directive. To test your settings, try to authenticate a user using SSH and provide a wrong password five times. On the sixth occasion, you should not be able to get back to the login prompt for one hour!
Protecting the sshd
service from Brute Force Attacks is just the first step to get you started, and there is much more to learn with failban
. To troubleshoot the service, please look at its log file at /var/log/fail2ban.log
. To get some ideas about what can be done with it, open the following example failban
config file: less /etc/fail2ban/jail.conf
.