BIP KB:
How To install Fail2ban "service SSH" on CentOS/RHEL 7

About Fail2Ban Servers do not exist in isolation, and those servers with only the most basic SSH configuration can be vulnerable to brute force attacks. fail2ban provides a way to automatically protect the server from malicious signs. The program works by scanning through log files and reacting to offending actions such as repeated failed login attempts.

Install Repository

Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository: First, you need to enable EPEL repository on your system.

rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Update Once you are in the first thing you need to do is to downloads the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies. To do that just type:

yum update

Installing

yum install -y fail2ban

Include service to autostart And enable it to run on system startup

systemctl enable fail2ban.service

Start

To start it just type:

systemctl start fail2ban.service

systemctl status fail2ban.service

Logfile

Once it's started it will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log

Configuration File

Copy the Configuration File

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit jail.local file you copied. Use your favorite text editor like Nano or vi

vi /etc/fail2ban/jail.local

The first section of defaults covers the basic rules it will follow. If you want to set up more nuanced protection for your virtual private server, you can customize the details in each section. You can see the default section below.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from your VPS. Including your address will guarantee that you do not accidentally ban yourself from your own virtual private server.

The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes—you may raise this to an hour (or higher) if you like.

Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.

Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.

Configure The ssh-iptables Section In Jail.Local

The SSH details section is just a little further down in the config, and it is already set up and turned on. Although you should not be required to make to make any changes within this section, you can find the details about each line below.

Let's create the configuration file

touch /etc/fail2ban/jail.d/sshd.local

And edit

vi /etc/fail2ban/jail.d/sshd.local

[sshd]
enabled = true
filter = sshd
maxretry = 3
action = firewallcmd-ipset
bantime = 10800

Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word "false".


The filter, set by default to sshd, refers to the config file containing the rules that it uses to find matches. The name is a shortened version of the file extension. For example, sshd refers to the /etc/fail2ban/filter.d/sshd.conf.

The max retry line within the SSH section has the same definition as the default option. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here.

Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action, "firewallcmd-ipse" can be found at /etc/fail2ban/action.d/firewallcmd-ipset.conf.

Bantime is the number of seconds that a host is banned.

Restart

Now restart Fail2ban and firewalld so the new configuration can take effect.

systemctl restart firewalld && systemctl restart fail2ban

Monitoring

Learn IP banned

fail2ban-client status sshd
or
ipset list

Unban IP

fail2ban-client set sshd unbanip 192.168.11.20