If you manage a CentOS 7 server, you probably make heavy use of secure shell (ssh) to handle remote tasks. Malicious users could take advantage of your having the ssh daemon open and running. Although ssh is a secure protocol, it doesn’t mean it’s perfect. With sshd available to the public, you never know when someone might hack the daemon and wind up with access to your data.

To that end, you want to go to all extremes to secure the ssh daemon. One way to achieve that is through Fail2ban. The Fail2ban system scans log files and bans IP addresses that show signs of malicious behavior, such as a failed login attempt. Fail2ban achieves this by updating firewall rules based on what it finds in the log files. If Fail2ban sees possible malicious activity from an IP address, it will adjust the firewall rules to block that address. It works well.

Let’s get Fail2ban installed on CentOS 7, and set it up to monitor the secure shell daemon.

SEE: Network Security Policy (Tech Pro Research)

Installing Fail2ban

Since you won’t find Fail2ban in the standard repositories, you must first add the Extra Packages for Enterprise Linux repository. Open a terminal window and issue the command:

sudo yum install epel-release

Once that installation completes, install Fail2ban with the command:

sudo yum install fail2ban

Configuring Fail2ban

With Fail2ban installed, it’s time to configure the system. First, you must understand how Fail2ban works.

Within the directory /etc/fail2ban you’ll find the main configuration file, jail.conf, and a directory, jail.d. The jail.conf file is the main configuration file, and jail.d contains the secondary configuration files. We don’t want to alter the jail.conf file; instead, we’ll manually create the jail.local file, where we can add specific jails for Fail2ban–in this case, we’ll add the sshd jail.

Fail2ban reads the configuration files in the following order:

  1. /etc/fail2ban/jail.conf
  2. /etc/fail2ban/jail.d/*.conf
  3. /etc/fail2ban/jail.local
  4. /etc/fail2ban/jail.d/*.local

* The .conf and .local files in jail.d are read in alphabetical order.

We are going to create a jail.local file to instruct Fail2ban to monitor the secure shell daemon. To create this file, issue the command sudo nano /etc/fail2ban/jail.local. The contents of this file will be:

​# Ban suspect IPs for ten minutes:
​bantime = 600
​maxretry = 3
​# Override the /etc/fail2ban/jail.d/00-firewalld.conf file:
​banaction = iptables-multiport[sshd]enabled = true

The above configuration file does four things. It:

  • sets a new bantime for all services (in this case, 600 seconds);
  • sets the number of tries a client has to authenticate within a window of time before being banned (in this case, 3);
  • ensures the system is using iptables for the firewall configuration by overriding the iptables-multiport action; and
  • enables a jail for sshd.

Save and close the file. Now that you’ve created the jail.local file, we have to restart Fail2ban with the command:

sudo systemctl restart fail2ban

Testing Fail2ban

We can see that Fail2ban has included our newly configured jail with the command:

sudo fail2ban-client status

The above command should list sshd in the jail list (Figure A).

Figure A

If you want to find out more information on a particular jail, you can issue the command:

sudo fail2ban-client status JAILNAME

In our case, the JAILNAME would be sshd.

The above command will display failed login attempts, as well as if there are any IPs currently banned (Figure B).

Figure B

If suspect activity from an IP is caught by Fail2ban, they will be banned for 10 minutes before they are removed from the jail.

A must-use measure

If you have a server that leaves the ssh daemon open, you owe it to yourself to install and use Fail2ban. It will go a very long way to keep malicious users from gaining access to your data through secure shell.

To learn more about Fail2ban configurations, check out the official documentation.