CentOS Fail2ban

Fail2ban is a tool which will help you block IP addresses which attempt to brute force their way into your server. It will look to ban the IP through the use of iptables for a period of time upon an external IP trying to compromise the SSH access on port 22.

Unfortunately fail2ban isn’t part of the default CentOS repositories, however we can look to install this manually. The installation would vary depending if your using CentOS 6 or 7.

CentOS 6

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban

CentOS 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
yum install fail2ban

Default Behaviour

The default behaviour is for fail2ban to ban anyone who has repeatedly tried to access to the server via SSH on the default port of 22, whilst this is intended to secure your server, there may be an instance where by you may of mis-typed your password or forgotten the password.

We can look to put our own IP into the ignore list. This is an list of IP which won’t be banned regardless of the number of attempts. This is assuming that you have a static IP. This wouldn’t work if you have an IP address which constantly changes.

This can be changed at:

nano /etc/fail2ban/jail.conf

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command 
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

There are other settings such as “maxretry” this is the number of times you can try to enter the password until you get banned, this is set to 3 times as default. This means you would need to get the password correct within 3 tries.

There is the “bantime” if the user IP has tried to access your server for 3 times unsuccessfully, that particular IP address will be banned for 600 seconds (10 minutes), after 10 minutes they can look to try again for another 3 attempts.

Another interesting area is the ”find time”. This is how long fail2ban will keep track of the IP on the unauthorised access attempt, normally this time should match the “bantime”.

Who has been banned

You can check the ban status by querying the iptables at:

iptables -L