Knowledge Base
Accounts
Billing and payments
Cloud server volumes
Cloud servers
Cloud storage
Customer portal
Data centers and network
Data privacy and data portability
Dedicated servers
Firewall
How it works
Kubernetes clusters
L2 segments
Linux administration
Load balancing
Support
VPN to GPN
Windows administration
How to protect SSH using fail2ban on CentOS 6
Introduction
SSH protocol provides opportunities for remote device management, but as any publicly accessible service, an SSH server is exposed to various attacks. One of such attacks is password-cracking.
This manual will consider a way to protect SSH from malicious use of fail2ban package.
The principle of fail2ban is quite simple: a special service scans the system logs to find a record of failed authentication attempts and under certain conditions blocks malicious IP-address using iptables.
Installation and settings
Run commands as root or via sudo.
Connect the EPEL repository that contains fail2ban package:
Install fail2ban package:
Turn on the automatic start of fail2ban service at the system start:
The fail2ban configuration file is located in the catalogue /etc/fail2ban/:
- fail2ban.conf – default settings for fail2ban service;
- fail2ban.d/*.* – custom settings for fail2ban service;
- jail.conf – default settings for protected services;
- jail.d/*.* – custom settings for protected services;
- filter.d/*.* – settings for search templates in system logs;
- action.d/*.* – settings for actions to be performed;
- paths*.conf – path settings for different operating systems.
To avoid overwriting when upgrading packages, it is necessary to create custom configuration files instead of editing files with default settings.
Create a file /etc/fail2ban/jail.d/sshd.conf with the following content:
Configuration
If the enabled parameter is true, then fail2ban service will block an IP-address for bantime seconds, if during the last findtime seconds there have been maxretry or more failed attempts of sshd authentication. After bantime seconds, the IP-address will be automatically unblocked.
Restart fail2ban:
Managing the black list
While using fail2ban, it might be necessary to temporarily remove an IP ban or add an IP to the exceptions list.
Removing IP ban temporarily
Check if the IP you are looking for is on the black list:
Running this command will show the amount of failed authentication attempts and the list of banned IPs.
Running the command
In this example, IP 192.168.0.101 needs to be unblocked. This can be done using the commands:
The first command will add IP 192.168.0.101 to the exceptions list, and the second will unblock it.
If an IP is not added to the exceptions list, in case of further failed authentication attempts it will be blocked again.
Run the following command to see the exceptions list:
Run the following command to delete an IP-address from the exceptions list:
Removing IP ban permanently
The changes implemented using the fail2ban-client are temporary, and they will be reset after the service is restarted.
To make them permanent, some parameters are to be added to fail2ban configuration files.
To add IP192.168.0.101 to the exceptions list permanently, add the parameter ignoreip to the file /etc/fail2ban/jail.d/sshd.conf:
Configuration file
If you need to add several IP-addresses or networks, add a space between them.
Configuration file parameter
Restart fail2ban:
Diagnostics
While running, fail2ban records diagnostic information in the system log.
Accessing the file
Disabling
To disable fail2ban and unblock all IP-addresses, stop fail2ban service and disable its autorun: