Fail2ban on CentOS 7 to protect SSH – Part I

Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

Fail2ban helps to protect servers from brute-force attacks. It always bans as many as 20+ malicious IPs from accessing SSH within my VPSes.

Update
For OpenVZ platform or the cases that iptables-services must be used, please visit Part II – Fail2ban with iptables-services.

Part I – Fail2ban with FirewallD
  1. Install fail2ban from EPEL repo.
  2. Deal with SELinux, there are two options to choose from.
    • Update SELinux Policy
    • OR Disable SELinux
  3. Configure fail2ban, we decide to use FirewallD which is implemented by default in CentOS 7.
    Put the following lines in /etc/fail2ban/jail.d/sshd.local

    Note 1 : ipset should also be installed beforehand is already a dependency of fail2ban.

    Note 2 : Thanks to Scott’s comment bellow, the action line should be commented out or removed otherwise fail2ban will fail to start.

  4. Enable and start fail2ban.

 

Sep 3, 2015 @ 00:00
Email this to someoneTweet about this on TwitterShare on FacebookShare on Google+Print this page

24 thoughts on “Fail2ban on CentOS 7 to protect SSH – Part I”

  1. Hi,

    On CentOS 7 with firewalld, that above config does not work for me. ipset is installed.

    2014-11-13 10:01:21,961 fail2ban.server.actions[18797]: ERROR Failed to start jail ‘sshd’ action ‘firewallcmd-ipset’: Error starting action

    Just add:

    enabled = true

    …in the [sshd] section of jail.conf or a copy of jail.conf -> /etc/fail2ban/jail.local

    Cheers,

    1. Hi Scott,

      Thanks for pointing out the issue.

      I have just checked that the action line is indeed no longer needed and should be removed.

      I also updated the post to address this.

      Cheers

  2. Thanks for the article. I tried your config with iptables and fail2ban failed to start. I removed the logpath and it now works. Just my experience.

  3. trying to get it to work with firewallcmd-ipset – but looks like you’re forcing fail2ban to use iptables.

    can you tell me why?

    1. Hello,

      No, in the post there presents two sshd.local files, the first for FirewallD and the second for iptable-service. I have rewritten the post to make it clearer.

      If you tried to get it work with FirewallD, you don’t need to explicitly set the action line to use firewallcmd-ipset.

      Just make sure FirewallD and fail2ban start properly. You can also type ipset list to check the blacklist set by fail2ban.

      Mostly the difficulty lies in SELinux.

      Cheers

  4. Thanks for this! I couldn’t figure out why remote ssh attempts weren’t getting blocked on CentOS 7 when it worked out of the box on CentOS 6. Saved me a lot of time and headaches trying to figure it out.

  5. Using IPtables and a different port than the standard 22 for ssh, do we have to put in the port number in this line?
    action = iptables[name=SSH, port=ssh, protocol=tcp]

  6. Hi,

    please help.

    I have i log file:

    10.2.20.220 – testusername [07/May/2015:16:20:46 +0200] “GET /phpmyadmin/ HTTP/1.1” 401 1486 “-” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36”

    How I can create filter for this?

    TY for your help

    1. Hi,

      You might just need a WAF. If you want to ban these IPs via fail2ban, you should use regex to filer out those hosts from given logs and create corresponding config files for fail2ban.

      Cheers

  7. I have been attempting to follow your first example, using firewalld.

    I stumbled upon this AFTER starting it thinking that Centos 7 = Ubuntu server, yada yada, noob alert, etc. and found out that iptables doesn’t exist.

    so, I tried to reverse my work, follow your guide., and it fails.

    Give me a tug in the correct direction. Here is my error:
    # systemctl restart fail2ban
    Failed to issue method call: Access denied

    1. Hi,

      I’m sorry but I haven’t tested it on Ubuntu. Since I do not know your Ubuntu version I am not sure whether it utilizes systemd or not.

      And could you provide more details on what steps have been taken before and after realizing it?

      I guess for Debian based distributions, apt-get install fail2ban is just enough.

      I hope it helps.

  8. Thanks for the writeup, I could not set up Fail2Ban with firewalld, so I just disabled it and installed iptables. It works better anyway :-).

  9. Thanks for this article.

    Ive been looking for a quick and detailed solution for installing fail2ban on centOS 7 and so far i seem to be all set up and working 🙂

    Thanks.

  10. I’ve configured the files as outlined above, but am not seeing any detections or bans in the /var/log/fail2ban.log file. I’ve got:

    – CentOS 7.2
    – Firewalld is running
    – Configuration exactly as outlined above.
    – I do, however, have Virtualmin installed, but have not configured it with fail2ban

    /var/log/fail2ban.log says:

    fail2ban.jail . . . Jail ‘sshd’ started

    I can still repeatedly fail ssh attempts to the server and those attempts do not show up in the log file.

    1. I’m running into the same issue.
      – CentOS7.2
      – firewalld is running, fail2ban is running
      – selinux is disabled
      – running SSH on non-standard port 9022

      Here’s my jail.local file:
      [DEFAULT]
      action = %(action_mwl)s
      backend = auto
      # bantime = 28 days
      bantime = 2419200
      destemail = to@ser.ver
      # findtime = 1 day
      findtime = 86400
      maxretry = 3
      sender = from@ser.ver

      [sshd]
      enabled = true
      port = 9022
      logpath = %(sshd_log)s

      When running

      fail2ban-regex –print-all-missed /var/log/secure /etc/fail2ban/filter.d/sshd.conf

      there’s a bunch of hits, yet /var/log/fail2ban.log has a final entry of

      fail2ban.jail [19830]: INFO Jail ‘sshd’ started

Leave a Reply

Your email address will not be published. Required fields are marked *

Please calculate * Time limit is exhausted. Please reload CAPTCHA.