SSH protocol provides opportunities for remote device management, but as any publicly accessible service, an SSH server is exposed to various attacks. One of such attacks is password-cracking.
This manual will consider a way to protect SSH from malicious use of fail2ban package.
The principle of fail2ban is quite simple: a special service scans the system logs to find a record of failed authentication attempts and under certain conditions blocks malicious IP-address using iptables.
Run commands as root or via sudo.
Connect the EPEL repository that contains fail2ban package:
yum install epel-release
Install fail2ban package:
yum install fail2ban
Turn on the automatic start of fail2ban service at the system start:
chkconfig fail2ban on
The fail2ban configuration file is located in the catalogue /etc/fail2ban/:
- fail2ban.conf – default settings for fail2ban service;
- fail2ban.d/*.* – custom settings for fail2ban service;
- jail.conf – default settings for protected services;
- jail.d/*.* – custom settings for protected services;
- filter.d/*.* – settings for search templates in system logs;
- action.d/*.* – settings for actions to be performed;
- paths*.conf – path settings for different operating systems.
To avoid overwriting when upgrading packages, it is necessary to create custom configuration files instead of editing files with default settings.
Create a file /etc/fail2ban/jail.d/sshd.conf with the following content:
[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5
If the enabled parameter is true, then fail2ban service will block an IP-address for bantime seconds, if during the last findtime seconds there have been maxretry or more failed attempts of sshd authentication. After bantime seconds, the IP-address will be automatically unblocked.
Restart fail2ban:
service fail2ban restart
While using fail2ban, it might be necessary to temporarily remove an IP ban or add an IP to the exceptions list.
Check if the IP you are looking for is on the black list:
fail2ban-client status sshd
Running this command will show the amount of failed authentication attempts and the list of banned IPs.
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 12
| ̀ - File list: /var/log/secure
- Actions
|- Currently banned: 1
|- Total banned: 2
̀ - Banned IP list: 192.168.0.101
In this example, IP 192.168.0.101 needs to be unblocked. This can be done using the commands:
fail2ban-client set sshd addignoreip 192.168.0.101
fail2ban-client set sshd unbanip 192.168.0.101
The first command will add IP 192.168.0.101 to the exceptions list, and the second will unblock it.
If an IP is not added to the exceptions list, in case of further failed authentication attempts it will be blocked again.
Run the following command to see the exceptions list:
fail2ban-client get sshd ignoreip
Run the following command to delete an IP-address from the exceptions list:
fail2ban-client set sshd delignoreip 192.168.0.101
The changes implemented using the fail2ban-client are temporary, and they will be reset after the service is restarted.
To make them permanent, some parameters are to be added to fail2ban configuration files.
To add IP192.168.0.101 to the exceptions list permanently, add the parameter ignoreip to the file /etc/fail2ban/jail.d/sshd.conf:
[sshd]
enabled = true
bantime = 600
findtime = 600
maxretry = 5
ignoreip = 192.168.0.101
If you need to add several IP-addresses or networks, add a space between them.
ignoreip = 192.168.0.101 10.0.0.0/24 127.0.0.1/8
Restart fail2ban:
service fail2ban restart
While running, fail2ban records diagnostic information in the system log.
/var/log/messages
To disable fail2ban and unblock all IP-addresses, stop fail2ban service and disable its autorun:
service fail2ban stop
chkconfig fail2ban off