How to Stop ssh attacks with fail2ban in CentOS

Stop ssh attacks with fail2ban in CentOS

 

Every server on the web is subject to frequent breaking attempts, and when there are services running on default ports like 22 for ssh it becomes even more common.

However, using a simple tool freely available called fail2ban we can easily keep those intruders out of our machines without having to change our service ports.

In order to get fail2ban working on a CentOS machine you just have to install it straight from the repositories using:

$ yum install fail2ban

And then edit the configuration file to activate ssh and adjust some key parameters.

#edit configuration using nano editor

$ nano /etc/fail2ban/jail.conf

 

ignoreip = 127.0.0.1, 192.168.100.254, 192.168.100.200, 192.168.100.100, 192.168.100.130 ( my IPAddress )
bantime   = 129600 ( ban TIme for source IPAddress )
maxretry = 3 ( maximum Wrong password try)

 

To activate ssh access monitorization find [ssh] section and make it active
enabled   = false to true
and   point the script to the right log file

Then you might want to change the following additional parameters:

ignoreip – A comma separated list of IPs you consider safe and would like the script to ignore regarding access attempts (this comes in the top of the configuration file)
action – Change the sender and recipient emails to get notifications regarding fail2ban actions
maxretry – The maximum number of failed login attempts before an IP get banned

Example :

[ssh]

enabled = true
port       = ssh
filter       = sshd
logpath   = /var/log/auth.log
maxretry = 3

Now just restart the service

$/etc/init.d/fail2ban restart

and test it. Just make sure you do not get locked out. Anyway, the ban will be released after 3 months

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.