October 29, 2019 94 Views 0 Comment

CentOS Server Security | Using Fail2Ban to protect against brute force attacks

SHARE THIS ARTICLE

Piloting a CentOS web Server through today’s world of cyber obstacles can be both fun and exciting as well as extremely stressful. If your going to be successful at this then having the right tools and defenses are paramount to success. Today, I will introduce one of the most effective services/daemon that you will need to protect against brute force attacks.

Protect SSH login using Fail2Ban

As a webmaster you should frequently review your server logs. On CentOs, your server logs are located at: /var/log/. Here you can access a variety of logs including your web-server (apache) logs. Apache’s logs can be found inside “/var/log/httpd” but be warned it can be quite enormous…making finding stuff a bit difficult at times. A typical thing you may notice from reviewing your logs is that there’s always someone or something (bot) trying to logon to your server. Exploiting FTP and SSH are common tactics for invading and seizing servers. If you have not already done so, please take the necessary steps to protect against suspicious logins. Using Fail2Ban to protect against brute force attacks via SSH is an essential step in securing your CentOS web server.

Installing and Configuring Fail2Ban

Fail2Ban is a tiny service that assists in mitigating against brute force attacks by creating rules similar to firewall rules that respond to suspicious login attempts without intervention from you. Using Fail2Ban we can setup rules for accessing various other services on our Linux web server such as SSH, MySql, etc… Installing Fail2Ban is easy, simply run:


# add repo if not in centos default repos
sudo yum install epel-release

# install the service 
sudo yum install fail2ban

# enable at startup
sudo systemctl enable fail2ban

 

Config settings for Fail2Ban can be found at /etc/fail2ban/jail.conf. Review and tweak as you see fit, ensure that you add your ip address(es) to the white list to prevent Fail2Ban from defending against your own mishaps. Next open the /etc/fail2ban/jail.local file and add the following rules:


[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

 

Finally, restart the service using:


sudo systemctl restart fail2ban

 

Accessing Fail2Ban’s ban list

Review Fail2Ban’s blacklist using these commands:


# Check if IP address is blocked
iptables -n -L

# unban an ip
fail2ban-client set ssh unbanip 10.xx.15x.12x

# check that the service is running
sudo fail2ban-client status

# more detailed information about a specific jail
sudo fail2ban-client status sshd

 

Once completed take a look at CentOS Server Security | Steps to Configuring SELinux