Digital Nerd's Blog

Fail2ban

Posted on Jul 4, 2024

Installation

sudo yum update
sudo yum install -y fail2ban

Configuration

  • /etc/fail2ban/fail2ban.conf - config file
  • /etc/fail2ban/jail.conf - contains settings for protecting services, including SSH
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.orig

/etc/fail2ban/jail.d/sshd.local

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
# maxretry should be the same as MaxAuthTries in /etc/ssh/sshd_config file
maxretry = 3
bantime = 600

sudo systemctl restart fail2ban

Brute force attack

Checking how fail2ban works.

hydra -l user -P passwords.txt -f ssh://IP -V

Keep an eye on what’s going on.

sudo tail -f /var/log/fail2ban.log

Show banned IP address

sudo fail2ban-client status
Status
|- Number of jail:      0
`- Jail list:

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     16
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.0.100

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     19
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     1
   `- Banned IP list:

Ban/Unban IP address

fail2ban-client set <JAIL-NAME> unbanip <IP-ADDRESS>

fail2ban-client set <JAIL-NAME> banip <IP-ADDRESS>