How to Use Fail2ban to Secure SSH on CentOS 7

Fail2ban is the latest security tool to secure your server from brute force attack. It automatically protects the server from hackers. It works by monitoring through log files and reacting to offending actions like repeated failed login attempts. The process consists of adding a new rule in a firewall chain and sending an e-mail notification.  You can easily install and configure fail2ban by using this simple document.

Before proceeding with the installation we need to assure that our system meets all the software requirements for compiling and installing the application. And also it should be configured with a Static IP address. On the first step, update your system repositories and software packages by issuing the below commands on CentOS.

# yum update

Installing Fail2ban on CentOS

To install Fail2Ban on a CentOS 7 server, we will have to install EPEL (Extra Packages for Enterprise Linux) repository first. EPEL contains additional packages for all CentOS versions. We can run this following command from the root to install this package.

# yum install epel-release -y
# yum install fail2ban fail2ban-systemd

Fail2ban needs some dependencies. It will automatically downloads these from repository.


Configuring Settings for Fail2ban on CentOS

Default configuration file of fail2ban is located at /etc/fail2ban/jail.conf
All configurations of fail2ban is to be done in a local file . You need to copy /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After copying, we will have to configure and customize the software with a jail.local configuration file. The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe.

Main Configurations in the default jail.local

The file code may consist of many lines of codes which is executed to whitelist or ban one or many IP addresses, set bantime duration, number of failure attempts etc. For activating a service you can set the enabled status from false to true. You need to know some terms used in the configuration file.

  • ignoreip: It can be an IP address, a CIDR mask or a DNS host. You can whitelist any IP address by adding to this list. Several addresses can be defined using space separator.
  • bantime: It is the number of seconds that a host is banned.
  • Findtime: It is the parameter which is used to check if a host must be banned or not. When the host generates maxretry in its last findtime, it is banned.
  • Maxretry : It is the parameter used to set the limit for the number of retry's by a host, upon exceeding this limit, the host is banned.

In CentOS 7 server, you will need to change the backend option in jail.local from auto to systemd.

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See
backend = systemd

Configuring fail2ban for SSH Protection

No jails are enabled by default in CentOS 7. To enable SSH protection, you need to uncomment the following lines in jail.local file as below:

# SSH servers


enabled = true # To use more aggressive sshd filter (inclusive sshd-ddos failregex): #filter = sshd-aggressive port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s

Parameter enabled is set to true, in order to provide protection, to disable protection, we can set it to false. The filter parameter checks the fail2ban sshd configuration file, located in the path /etc/fail2ban/filter.d/sshd.conf.

The parameter action is used to derive the IP address which needs to be banned using the filter available from /etc/fail2ban/action.d/firewallcmd-ipset.conf.

  • Port: This parameter may be changed to a new value such as port=2222 if you moved your port to 2222 instead of default one. There is no need to change this parameter for default port 22.
  • Logpath: It provides the path where the log file is stored. This log file is scanned by Fail2Ban.
  • Maxretry: It is used to set the maximum limit for failed login entries.
  • Bantime: This is used to set the duration of seconds for which a host needs to be banned.
  • filter: The name of the file located in /etc/fail2ban/filter.d that contains the failregex information used to parse log files appropriately.

Enabling Fail2ban Service

You need to make sure to enable and start CentOS firewalld service for running this software.

# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/firewalld.service.
# systemctl start firewalld
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-01-14 10:57:34 UTC; 9s ago
Docs: man:firewalld(1)
Main PID: 19493 (firewalld)
CGroup: /system.slice/firewalld.service
└─19493 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Now we can enable and start our fail2ban service by executing these commands below:

#systemctl enable fail2ban
#systemctl start fail2ban

For any configuration changes, make sure to restart the service to append those changes with the command below:

#systemctl restart fail2ban

Use Fail2ban client

Fail2ban provides a command fail2ban-client that can be used to run Fail2ban from the command line. Check out the various command-line options below:

fail2ban-client COMMAND
  • start: starts the server and the jails
  • reload: reloads the configuration
  • reload <JAIL>:  reloads the jail <JAIL>
  • stop: stops all jails and terminate the server
  • status: gets the current status of the server
  • ping: tests if the server is alive
  • help: return this output
  • version: return the server version

For example, to check whether Fail2Ban is running and if SSHd jail is enabled, run:

# fail2ban-client status
|- Number of jail: 1
`- Jail list: sshd

For more information about this command you can run man fail2ban-client.

Tracking the Failed Login attempts

We can check the SSH log using the following command to check whether there had been any failed attempts to login to sever via ssh port. We can get a list of failed root password attempts from different IP addresses similar to this output.

Jan 14 05:08:58 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2
Jan 14 05:09:00 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2
Jan 14 05:09:02 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2
Jan 14 05:09:04 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2
Jan 14 05:09:06 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2
Jan 14 05:09:08 li226-12 sshd[14786]: Failed password for root from port 43374 ssh2

You can view the list of banned IPs which has reached the maximum number of failure attempts by the command below:

#iptables -L -n

Unbanning an IP address

In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs whitelisting. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. We can run the following command for the same.

#fail2ban-client set sshd unbanip IPADDR

Wrapping up

Fail2ban works in the background and continuously scans the log files for unusual login patterns and security breach attempts. This article provides you with a brief introduction to this topic, you can get more information about this in this Fail2ban wiki. I hope this is useful for you. Please post your valuable comments and suggestions on this.

Leave a Comment