To prevent online hackers from brutally cracking system accounts Using SSH, first prohibit key accounts such as root remote login. But that alone is not enough. Hackers' non-stop login attempts to the system also have a certain impact on the system performance and bandwidth, especially when the bandwidth you subscribe to is poor. In this case, we need to find a way to shield this malicious IP address. Fail2ban is a good tool. Combined with the firewall of CentOS, it can protect a variety of ports and protocols, and the setting is relatively simple.
1. Check whether firewall is enabled
firewall-cmd --state
If displayed
running
Indicates that the firewall is working. If not, start the firewall:
Start firewalld
systemctl start firewalld
Set startup
systemctl enable firewalld.service
After firewall is enabled, all port connections will be prohibited. Therefore, be sure to release common ports to avoid being blocked. The following is an example of releasing SSH ports (22) for reference:
Release port 22
firewall-cmd --zone=public --add-port=80/tcp --permanent
Overload configuration
firewall-cmd --reload
View released ports
firewall-cmd --zone=public --list-ports
2. Install fail2ban
The CentOS built-in source does not contain fail2ban. You need to install the epel source first
yum -y install epel-release
Install fial2ban
yum -y install fail2ban-firewalld
3. Configuration rules
After successful installation, the fail2ban configuration file is located in / etc/fail2ban, where jail.conf is the main configuration file, and the relevant matching rules are located in jail.d directory. According to the instructions of fail2ban, we should create the sshd.local file in this directory and write our rules into it, but I tried and it didn't work. I don't know what the problem is.
We use another method to configure the rules, directly create a jail.local under the fail2ban home directory, and write the following contents:
[DEFAULT] bantime = 1y findtime = 600 maxretry = 3 [sshd] enabled = true filter = sshd port = 22
Parameter Description:
bantime: the shielded time, in seconds s, minutes m, hours h, days d, months mo, years y
findtime: time range
Maxregistry: maximum number of times
[sshd]: name
Filter: the name of the rule. The rule in the filter.d directory must be filled in. sshd is the built-in rule of fail2ban
Port: the corresponding port
4. Start fail2ban service
systemctl start fail2ban
If started before:
systemctl restart fail2ban
Check whether the service starts normally:
systemctl status fail2ban
You should see something like this:
● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-10-20 02:11:54 CDT; 3h 7min ago Docs: man:fail2ban(1) Process: 159783 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 159932 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 159935 (fail2ban-server) Tasks: 5 (limit: 11091) Memory: 15.8M CGroup: /system.slice/fail2ban.service └─159935 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start Oct 20 02:11:54 yourdomain.com systemd[1]: Starting Fail2Ban Service... Oct 20 02:11:54 yourdomain.com systemd[1]: Started Fail2Ban Service. Oct 20 02:11:54 yourdomain.com fail2ban-server[159935]: Server ready
If you see Active: active (running), it indicates that the startup is normal.
● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-10-20 02:09:52 CDT; 7s ago Docs: man:fail2ban(1) Process: 159783 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 159901 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255) Process: 159899 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 159901 (code=exited, status=255) Oct 20 02:09:52 yourdomain.com systemd[1]: Starting Fail2Ban Service... Oct 20 02:09:52 yourdomain.com systemd[1]: Started Fail2Ban Service. Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.configreader [159901]: ERROR Found no accessible config files for 'action.d> Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.jailreader [159901]: ERROR Unable to read action 'sendmail-whois-lines' Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.jailsreader [159901]: ERROR Errors in jail 'sshd'. Skipping... Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,625 fail2ban [159901]: ERROR Async configuration of server failed Oct 20 02:09:52 yourdomain.com systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/n/a Oct 20 02:09:52 yourdomain.com systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Seeing the above information indicates a startup error. You need to check the configuration file jail.local.
If the startup is normal, use the following command to view the status of fail2ban service to SSH:
fail2ban-client status sshd
You should see information like the following:
Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 90 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 19 |- Total banned: 19 `- Banned IP list: 61.177.173.7 222.186.42.13 221.181.185.159 221.131.165.33 95.182.201.129 ......
This means that you have 19 IP addresses, and fail2ban is set successfully.