Install Fail2ban on Centos 7 to Protect SSH via firewalld

Table of Contents

Introduction

If you are using password based authentication for SSH access to a server attached to the public internet, then this will look all too familiar.

tutorial@<redacted>'s password:
Last failed login: Mon Mar 20 20:47:43 UTC 2017 from 116.31.116.37 on ssh:notty
There were 96619 failed login attempts since the last successful login.
Last login: Mon Mar 13 18:07:23 2017 from <redacted>

Did you notice the 96619 failed login attempts? The vast majority of those attempted connections are likely attempts to guess the credentials and gain access to your server!

One way to minimize the chances of such brute-force attempts actually working is to utilize Fail2ban. Fail2ban can be configured to keep an eye on various system logs and respond to failed login attempts using local firewall rules. In this tutorial we will briefly show how to get Fail2ban installed and configured to protect against SSH connection attempts.

Requirements

To follow along you will need access to:

  • A server running CentOS 7.
  • A public IP address. It can be dynamic or static.
  • A user configured with sudo access. Our example username is: tutorial.

Install

In order to easily install the fail2ban packages using yum, we need access to the EPEL repository. Add this to your system by running sudo yum install epel-release. You should see

[tutorial@centos ~]$ sudo yum install epel-release
[sudo] password for tutorial:
base                                                     | 3.6 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/7/x86_64/primary_db                                | 3.8 MB   00:03
Loading mirror speeds from cached hostfile
 * base: mirror.lax.hugeserver.com
 * extras: mirror.lax.hugeserver.com
 * updates: mirror.sigmanet.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-9 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================
 Package                             Arch                          Version                           Repository                     Size
=====================================================================================================================================
Installing:
 epel-release                        noarch                        7-9                               extras                         14 k

Transaction Summary
=====================================================================================================================================
Install  1 Package

Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-9.noarch.rpm                                                                                   |  14 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-9.noarch                                                                                           1/1
  Verifying  : epel-release-7-9.noarch                                                                                           1/1

Installed:
  epel-release.noarch 0:7-9

Complete!

Once the new package is added, lets check to make sure that we have all available OS updates installed.

sudo yum check-update

If the output indicates there are updates available and the packages listed look acceptable to you, then proceed to update the system.

sudo yum update

Now we can install fail2ban-firewalld by running sudo yum install fail2ban-firewalld. The output returned should be similar to the following:

[tutorial@centos ~]$ sudo yum install fail2ban-firewalld
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.lax.hugeserver.com
 * epel: mirror.sfo12.us.leaseweb.net
 * extras: mirror.lax.hugeserver.com
 * updates: mirror.sigmanet.com
Resolving Dependencies
--> Running transaction check
---> Package fail2ban-firewalld.noarch 0:0.9.6-3.el7 will be installed
--> Processing Dependency: fail2ban-server = 0.9.6-3.el7 for package: fail2ban-firewalld-0.9.6-3.el7.noarch
--> Running transaction check
---> Package fail2ban-server.noarch 0:0.9.6-3.el7 will be installed
--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.6-3.el7.noarch
--> Running transaction check
---> Package systemd-python.x86_64 0:219-30.el7_3.7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================
 Package                               Arch                      Version                            Repository                  Size
=====================================================================================================================================
Installing:
 fail2ban-firewalld                    noarch                    0.9.6-3.el7                        epel                        11 k
Installing for dependencies:
 fail2ban-server                       noarch                    0.9.6-3.el7                        epel                       286 k
 systemd-python                        x86_64                    219-30.el7_3.7                     updates                    109 k

Transaction Summary
=====================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 407 k
Installed size: 1.1 M
Is this ok [y/d/N]:

Answer with y to accept the proposed package list and continue:

Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-firewalld-0.9.6-3.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fail2ban-firewalld-0.9.6-3.el7.noarch.rpm is not installed
(1/3): fail2ban-firewalld-0.9.6-3.el7.noarch.rpm                                                              |  11 kB  00:00:00
(2/3): fail2ban-server-0.9.6-3.el7.noarch.rpm                                                                 | 286 kB  00:00:00
(3/3): systemd-python-219-30.el7_3.7.x86_64.rpm                                                               | 109 kB  00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                310 kB/s | 407 kB  00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-9.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y

Answer with y to accept the GPG key and continue:

Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : systemd-python-219-30.el7_3.7.x86_64                                                                              1/3
  Installing : fail2ban-server-0.9.6-3.el7.noarch                                                                                2/3
  Installing : fail2ban-firewalld-0.9.6-3.el7.noarch                                                                             3/3
  Verifying  : fail2ban-server-0.9.6-3.el7.noarch                                                                                1/3
  Verifying  : fail2ban-firewalld-0.9.6-3.el7.noarch                                                                             2/3
  Verifying  : systemd-python-219-30.el7_3.7.x86_64                                                                              3/3

Installed:
  fail2ban-firewalld.noarch 0:0.9.6-3.el7

Dependency Installed:
  fail2ban-server.noarch 0:0.9.6-3.el7                             systemd-python.x86_64 0:219-30.el7_3.7

Complete!

Now we have fail2ban installed.

Configure

The configuration files for fail2ban are stored in /etc/fail2ban/. In order to avoid problems when updating fail2ban, lets add our local changes to a jail_ssh.local file located in that directory. Open a new text file /etc/fail2ban/jail_ssh.local using an editor you are comfortable with.

[tutorial@centos fail2ban]$ sudo vi /etc/fail2ban/jail_ssh.local
[sudo] password for tutorial:

Paste the following two lines into the file and save it.

[sshd]
enabled = true

Start up the fail2ban.service using systemctl.

[tutorial@centos fail2ban]$ sudo systemctl start fail2ban.service

If you want to have it start on boot, then run the same command substituting enable for start.

[tutorial@centos fail2ban]$ sudo systemctl enable fail2ban.service

Fail2ban is now running on our system.

Verify

We can utilize firewall-cmd to verify that a firewall rule is now in place to block these attempts.

[tutorial@centos fail2ban]$ sudo firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable

As shown, we now have a list called fail2ban-sshd which will be populated with ip addresses that are generating failed login attempts.

We can take a look at the current contents of that list using ipset.

[tutorial@centos fail2ban]$ sudo ipset list fail2ban-sshd
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16656
References: 1
Members:
186.61.255.155 timeout 336
116.31.116.37 timeout 569

We can see that there are now two IP addresses being blocked, along with the remaining timeout until they are removed from the list.

Summary

This was a very brief introduction to getting fail2ban in place to help protect a server against brute-force SSH access attempts. Keep an eye out for additional tutorials regarding the configuration and use of this tool. You may also find more information on the Fail2ban website.