Stop ssh attacks with fail2ban in CentOS
Every server on the web is subject to frequent breaking attempts, and when there are services running on default ports like 22 for ssh it becomes even more common.
However, using a simple tool freely available called fail2ban we can easily keep those intruders out of our machines without having to change our service ports.
In order to get fail2ban working on a CentOS machine you just have to install it straight from the repositories using:
$ yum install fail2ban
And then edit the configuration file to activate ssh and adjust some key parameters.
#edit configuration using nano editor
$ nano /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1, 192.168.100.254, 192.168.100.200, 192.168.100.100, 192.168.100.130 ( my IPAddress )
bantime = 129600 ( ban TIme for source IPAddress )
maxretry = 3 ( maximum Wrong password try)
To activate ssh access monitorization find [ssh] section and make it active
enabled = false to true
and point the script to the right log file
Then you might want to change the following additional parameters:
ignoreip – A comma separated list of IPs you consider safe and would like the script to ignore regarding access attempts (this comes in the top of the configuration file)
action – Change the sender and recipient emails to get notifications regarding fail2ban actions
maxretry – The maximum number of failed login attempts before an IP get banned
Example :
[ssh]enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Now just restart the service
$/etc/init.d/fail2ban restart
and test it. Just make sure you do not get locked out. Anyway, the ban will be released after 3 months