How to Protect SSH with Fail2Ban on CentOS 8

In the age of increasing cyber threats, safeguarding your server is paramount. One of the most common entry points for attackers is the Secure Shell (SSH) protocol, primarily used for remote server management. Fortunately, tools like Fail2Ban can significantly enhance your server’s security by protecting SSH from brute-force attacks. In this blog post, we’ll walk you through the process of installing and configuring Fail2Ban on CentOS 8 to secure your SSH access.

What is Fail2Ban?

Fail2Ban is an intrusion prevention software framework that scans log files for malicious activity, such as repeated failed login attempts. Once it identifies a potential attack, Fail2Ban can automatically ban the offending IP address by updating the firewall rules. This proactive measure helps to fortify your SASH against brute-force attacks and unauthorized access.

Step-by-Step Guide to Protect SSH with Fail2Ban on CentOS 8

Step 1: Update Your System

Before installing any new software, it’s best practice to ensure your system is up-to-date. Open your terminal and execute the following command:

sudo dnf update

Step 2: Install Fail2Ban

Fail2Ban is included in the EPEL (Extra Packages for Enterprise Linux) repository. Therefore, the first step is to enable the EPEL repository:

sudo dnf install epel-release

Now, install Fail2Ban:

sudo dnf install fail2ban

Step 3: Start and Enable Fail2Ban

Once installed, you need to start the Fail2Ban service and ensure it runs at boot time:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Step 4: Configure Fail2Ban

The client configuration file is located at /etc/fail2ban/jail.conf. However, it’s advisable to create a local copy with your configurations to prevent changes from being overwritten on updates. Run the following command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, open the jail.local file for editing:

sudo nano /etc/fail2ban/jail.local

Step 5: Configure SSH Protection

Within the jail.local file, locate the [sshd] section. Here, you can specify the parameters for protecting SSH:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 5
bantime = 3600

• enabled: Set to true to activate protection for SSH.
• port: Usually set to ssh (port 22). Adjust if you’re using a different custom port.
• filter: Defines the filter for SSH.
• logpath: Specifies the log file for SSH authentication attempts.
• maxretry: Defines the number of failed login attempts before an IP is banned. (5 attempts in this case)
• bantime: Sets the duration (in seconds) that an IP will be banned (3600 seconds = 1 hour).

Step 6: Restart Fail2Ban

For the changes to take effect, restart the Fail2Ban service:

sudo systemctl restart fail2ban

Step 7: Monitor Fail2Ban

Fail2Ban logs its actions, which can be very useful in assessing the effectiveness of your configuration. You can view the Fail2Ban log file:

sudo tail -f /var/log/fail2ban.log

You can also check the status of the Fail2Ban jail for SSH:

sudo fail2ban-client status sshd

This command will provide information about the currently banned IP addresses and the number of failed attempts.

Conclusion

Securing your SSH access is essential, especially on a public-facing server. By implementing Fail2Ban on CentOS 8, you significantly reduce the risk of unauthorized access due to brute-force attacks. Regularly monitoring Fail2Ban logs and updating configurations as needed will further enhance your server’s security.

Thank you for reading our blog on securing SSH with Fail2Ban on CentOS 8. Stay safe out there, and remember that prevention is always better than cure when it comes to cybersecurity!