loader

    Knowledge Base

    How to protect SSH using fail2ban on CentOS 6

    Introduction

    SSH protocol provides opportunities for remote device management, but as any publicly accessible service, an SSH server is exposed to various attacks. One of such attacks is password-cracking.

    This manual will consider a way to protect SSH from malicious use of fail2ban package.

    The principle of fail2ban is quite simple: a special service scans the system logs to find a record of failed authentication attempts and under certain conditions blocks malicious IP-address using iptables.

    Installation and settings

    Run commands as root or via sudo.

    Connect the EPEL repository that contains fail2ban package:

    yum install epel-release

    Install fail2ban package:

    yum install fail2ban

    Turn on the automatic start of fail2ban service at the system start:

    chkconfig fail2ban on

    The fail2ban configuration file is located in the catalogue /etc/fail2ban/:

    - fail2ban.conf – default settings for fail2ban service;

    - fail2ban.d/*.* – custom settings for fail2ban service;

    - jail.conf – default settings for protected services;

    - jail.d/*.* – custom settings for protected services;

    - filter.d/*.*  –  settings for search templates in system logs;

    - action.d/*.* – settings for actions to be performed;

    - paths*.conf – path settings for different operating systems.

    To avoid overwriting when upgrading packages, it is necessary to create custom configuration files instead of editing files with default settings.

    Create a file /etc/fail2ban/jail.d/sshd.conf with the following content:

    Configuration

    [sshd] enabled = true bantime = 600 findtime = 600 maxretry = 5

    If the enabled parameter is true, then fail2ban service will block an IP-address for bantime seconds, if during the last findtime seconds there have been maxretry or more failed attempts of sshd authentication. After bantime seconds, the IP-address will be automatically unblocked.

    Restart fail2ban:

    service fail2ban restart

    Managing the black list

    While using fail2ban, it might be necessary to temporarily remove an IP ban or add an IP to the exceptions list.

    Removing IP ban temporarily

    Check if the IP you are looking for is on the black list:

    fail2ban-client status sshd

    Running this command will show the amount of failed authentication attempts and the list of banned IPs.

    Running the command

    Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 12 | ̀ - File list: /var/log/secure - Actions |- Currently banned: 1 |- Total banned: 2 ̀ - Banned IP list: 192.168.0.101

    In this example, IP 192.168.0.101 needs to be unblocked. This can be done using the commands:

    fail2ban-client set sshd addignoreip 192.168.0.101
    fail2ban-client set sshd unbanip 192.168.0.101

    The first command will add IP 192.168.0.101 to the exceptions list, and the second will unblock it.

    If an IP is not added to the exceptions list, in case of further failed authentication attempts it will be blocked again.

    Run the following command to see the exceptions list:

    fail2ban-client get sshd ignoreip

    Run the following command to delete an IP-address from the exceptions list:

    fail2ban-client set sshd delignoreip 192.168.0.101

    Removing IP ban permanently

    The changes implemented using the fail2ban-client are temporary, and they will be reset after the service is restarted.

    To make them permanent, some parameters are to be added to fail2ban configuration files.

    To add IP192.168.0.101 to the exceptions list permanently, add the parameter ignoreip to the file /etc/fail2ban/jail.d/sshd.conf:

    Configuration file

    [sshd] enabled = true bantime = 600 findtime = 600 maxretry = 5 ignoreip = 192.168.0.101

    If you need to add several IP-addresses or networks, add a space between them.

    Configuration file parameter

    ignoreip = 192.168.0.101 10.0.0.0/24 127.0.0.1/8

    Restart fail2ban:

    service fail2ban restart

    Diagnostics

    While running, fail2ban records diagnostic information in the system log.

    Accessing the file

    /var/log/messages

    Disabling

    To disable fail2ban and unblock all IP-addresses, stop fail2ban service and disable its autorun:

    service fail2ban stop
    chkconfig fail2ban off