CentOS Server Security | Using Fail2Ban to protect against brute force attacks
Piloting a CentOS web Server through today’s world of cyber obstacles can be both fun and exciting as well as extremely stressful. If your going to be successful at this then having the right tools and defenses are paramount to success. Today, I will introduce one of the most effective services/daemon that you will need to protect against brute force attacks.
Protect SSH login using Fail2Ban
As a webmaster you should frequently review your server logs. On CentOs, your server logs are located at: /var/log/. Here you can access a variety of logs including your web-server (apache) logs. Apache’s logs can be found inside “/var/log/httpd” but be warned it can be quite enormous…making finding stuff a bit difficult at times. A typical thing you may notice from reviewing your logs is that there’s always someone or something (bot) trying to logon to your server. Exploiting FTP and SSH are common tactics for invading and seizing servers. If you have not already done so, please take the necessary steps to protect against suspicious logins. Using Fail2Ban to protect against brute force attacks via SSH is an essential step in securing your CentOS web server.
Installing and Configuring Fail2Ban
Fail2Ban is a tiny service that assists in mitigating against brute force attacks by creating rules similar to firewall rules that respond to suspicious login attempts without intervention from you. Using Fail2Ban we can setup rules for accessing various other services on our Linux web server such as SSH, MySql, etc… Installing Fail2Ban is easy, simply run:
# add repo if not in centos default repos sudo yum install epel-release # install the service sudo yum install fail2ban # enable at startup sudo systemctl enable fail2ban
Config settings for Fail2Ban can be found at /etc/fail2ban/jail.conf. Review and tweak as you see fit, ensure that you add your ip address(es) to the white list to prevent Fail2Ban from defending against your own mishaps. Next open the /etc/fail2ban/jail.local file and add the following rules:
[DEFAULT] # Ban hosts for one hour: bantime = 3600 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport [sshd] enabled = true
Finally, restart the service using:
sudo systemctl restart fail2ban
Accessing Fail2Ban’s ban list
Review Fail2Ban’s blacklist using these commands:
# Check if IP address is blocked iptables -n -L # unban an ip fail2ban-client set ssh unbanip 10.xx.15x.12x # check that the service is running sudo fail2ban-client status # more detailed information about a specific jail sudo fail2ban-client status sshd