This tutorial presents the minimum SSH protection on CentOS 7 by Fail2Ban (without e-mail).
Preparation
# install epel-release $ yum install -y epel-release && yum -y update # install fail2ban packages $ yum install -y fail2ban fail2ban-systemd # update selinux-policies (if SELinux) $ yum update -y selinux-policy*
Configuration
# change directory $ cd /etc # check content of 00-systemd.conf $ cat fail2ban/jail.d/00-systemd.conf ... [DEFAULT] backend=systemd ... # create custom default configuration $ cp -p fail2ban/jail.conf fail2ban/jail.local # edit custom default configuration $ vim fail2ban/jail.local ... [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 3600 maxretry = 3 ... # create custom sshd configuration $ vim fail2ban/jail.d/sshd.local ... [sshd] enabled = true port = ssh logpath = %(sshd_log)s ...
Ready for startup
# enable fail2ban $ systemctl enable fail2ban # start fail2ban $ systemctl start fail2ban
Check status
# check status (optional) $ systemctl status fail2ban # tail fail2ban logfile (optional) $ tail -f /var/log/fail2ban.log # tail secure logfile (optional) $ tail -f /var/log/secure # check iptables $ iptables -L -n # check status of jails $ fail2ban-client status # check status of sshd jail $ fail2ban-client status sshd
Example
$ fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 347 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 56 `- Banned IP list: 185.110.132.202 $ whois 185.110.132.202 ... person: Karamurzov Barasbi abuse-mailbox: abusemail@openstack.net.ua address: Belize, BE, Kolmo ave 11, apt 901 ...