In this process, we will learn how to implement additional security measures for protecting the SSH server with a package called fail2ban. This is a tool that serves to protect a variety of services including SSH, FTP, SMTP, Apache, and many more against unwanted visitors. It works by reading log files for patterns based on failed login attempts and deals with the offending IP addresses accordingly. Of course, you may have already hardened your SSH server or another service on a direct application level, but it is the purpose of this process to show that, when faced with the possibility of Brute Force Attacks, an added layer of protection is always useful.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to download additional packages. In addition to this, it will be assumed that YUM is already configured to download packages from the EPEL repository.
The Process
Fail2ban is not installed by default, and for this reason, we will need to invoke the YUM package manager and download the necessary packages:
- To begin this process, log in as root and type the following command:
yum install fail2ban-firewalld fail2ban-systemd
- Create a new configuration file in your favorite text editor, like so
vi /etc/fail2ban/jail.local
- Put in the following content:
[DEFAULT]
findtime = 900
[sshd]
enabled = true - Now, append the following line that defines the ban period. It is calculated in seconds, so adjust the time period to reflect a more suitable value. In this case, we have chosen this to be one hour:
bantime = 3600
- Then, append the maximum number of login attempts:
maxretry = 5
- If you are running SSH over a custom port other than 22, you need to tell this to fail2ban as well (replace XXXX with your port number of choice) otherwise skip this step:
port=XXXX
- Now, save and close the file in the usual way before proceeding to enable the fail2ban service at boot. To do this, type the following command:
systemctl enable fail2ban
- To complete this process, you should now start the service by typing:
systemctl start fail2ban
How Does It Work?
fail2ban is designed to monitor users who repeatedly fail to log in correctly on your server, and its main purpose is to mitigate attacks designed to crack passwords and steal user credentials. It works by continuously reading your system’s log files, and if this contains a pattern indicating a number of failed attempts, then it will proceed to act against the offending IP address. We all know that servers do not exist in isolation, and by using this tool, within a few minutes, the server will be running with an additional blanket of protection.
So, what did we learn from this experience?
fail2ban is not available from the standard CentOS repositories, and for this reason your server will need to have access to the EPEL repository. The installation of the fail2ban packages was very simple; besides the main fail2ban package, we installed two other packages to integrate it into CentOS 7’s new systemd and firewalld server technologies. Next, for our local customization, we created a new jail. local file. We started specifying the findtime parameter for all targets (specified within the [DEFAULT] section), which is the amount of time a user has when attempting to log in. This value is measured in seconds and implies that, if a user fails to log in within the maximum number of attempts during the designated period, then they are banned. Next, we enabled fail2ban for the sshd daemon by adding a [sshd] section. In this section, we introduced the bantime value, which represents the total number of seconds that a host will be blocked from accessing the server if they are found to be in violation of the rules. Based on this, you were then asked to determine the maximum number of login attempts before blocking. Also, if you have changed your service’s standard listening port, you have to define the custom port using the port directive. To test your settings, try to authenticate a user using SSH and provide a wrong password five times. On the sixth occasion, you should not be able to get back to the login prompt for one hour!
Protecting the sshd service from Brute Force Attacks is just the first step to get you started, and there is much more to learn with failban. To troubleshoot the service, please look at its log file at /var/log/fail2ban.log. To get some ideas about what can be done with it, open the following example failban config file: less /etc/fail2ban/jail.conf.