Install fail2ban + firewall in CentOS 8 to prevent SSH brute force cracking

To prevent online hackers from brutally cracking system accounts Using SSH, first prohibit key accounts such as root rem...

To prevent online hackers from brutally cracking system accounts Using SSH, first prohibit key accounts such as root remote login. But that alone is not enough. Hackers' non-stop login attempts to the system also have a certain impact on the system performance and bandwidth, especially when the bandwidth you subscribe to is poor. In this case, we need to find a way to shield this malicious IP address. Fail2ban is a good tool. Combined with the firewall of CentOS, it can protect a variety of ports and protocols, and the setting is relatively simple.

1. Check whether firewall is enabled

firewall-cmd --state

If displayed

running

Indicates that the firewall is working. If not, start the firewall:

Start firewalld

systemctl start firewalld

Set startup

systemctl enable firewalld.service

After firewall is enabled, all port connections will be prohibited. Therefore, be sure to release common ports to avoid being blocked. The following is an example of releasing SSH ports (22) for reference:

Release port 22

firewall-cmd --zone=public --add-port=80/tcp --permanent

Overload configuration

firewall-cmd --reload

View released ports

firewall-cmd --zone=public --list-ports

2. Install fail2ban

The CentOS built-in source does not contain fail2ban. You need to install the epel source first

yum -y install epel-release

Install fial2ban

yum -y install fail2ban-firewalld

3. Configuration rules

After successful installation, the fail2ban configuration file is located in / etc/fail2ban, where jail.conf is the main configuration file, and the relevant matching rules are located in jail.d directory. According to the instructions of fail2ban, we should create the sshd.local file in this directory and write our rules into it, but I tried and it didn't work. I don't know what the problem is.

We use another method to configure the rules, directly create a jail.local under the fail2ban home directory, and write the following contents:

[DEFAULT] bantime = 1y findtime = 600 maxretry = 3 [sshd] enabled = true filter = sshd port = 22

Parameter Description:

bantime: the shielded time, in seconds s, minutes m, hours h, days d, months mo, years y

findtime: time range

Maxregistry: maximum number of times

[sshd]: name

Filter: the name of the rule. The rule in the filter.d directory must be filled in. sshd is the built-in rule of fail2ban

Port: the corresponding port

4. Start fail2ban service

systemctl start fail2ban

If started before:

systemctl restart fail2ban

Check whether the service starts normally:

systemctl status fail2ban

You should see something like this:

● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-10-20 02:11:54 CDT; 3h 7min ago Docs: man:fail2ban(1) Process: 159783 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 159932 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 159935 (fail2ban-server) Tasks: 5 (limit: 11091) Memory: 15.8M CGroup: /system.slice/fail2ban.service └─159935 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start Oct 20 02:11:54 yourdomain.com systemd[1]: Starting Fail2Ban Service... Oct 20 02:11:54 yourdomain.com systemd[1]: Started Fail2Ban Service. Oct 20 02:11:54 yourdomain.com fail2ban-server[159935]: Server ready

If you see Active: active (running), it indicates that the startup is normal.

● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-10-20 02:09:52 CDT; 7s ago Docs: man:fail2ban(1) Process: 159783 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 159901 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255) Process: 159899 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 159901 (code=exited, status=255) Oct 20 02:09:52 yourdomain.com systemd[1]: Starting Fail2Ban Service... Oct 20 02:09:52 yourdomain.com systemd[1]: Started Fail2Ban Service. Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.configreader [159901]: ERROR Found no accessible config files for 'action.d> Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.jailreader [159901]: ERROR Unable to read action 'sendmail-whois-lines' Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,614 fail2ban.jailsreader [159901]: ERROR Errors in jail 'sshd'. Skipping... Oct 20 02:09:52 yourdomain.com fail2ban-server[159901]: 2021-10-20 02:09:52,625 fail2ban [159901]: ERROR Async configuration of server failed Oct 20 02:09:52 yourdomain.com systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/n/a Oct 20 02:09:52 yourdomain.com systemd[1]: fail2ban.service: Failed with result 'exit-code'.

Seeing the above information indicates a startup error. You need to check the configuration file jail.local.

If the startup is normal, use the following command to view the status of fail2ban service to SSH:

fail2ban-client status sshd

You should see information like the following:

Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 90 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 19 |- Total banned: 19 `- Banned IP list: 61.177.173.7 222.186.42.13 221.181.185.159 221.131.165.33 95.182.201.129 ......

This means that you have 19 IP addresses, and fail2ban is set successfully.

27 October 2021, 22:08 | Views: 5293

Add new comment

For adding a comment, please log in
or create account

0 comments