Date: 22-02-2107 Tags: fail2ban, linux, centos, linuxsecurity

Protect SSH with fail2ban on CentOS 6

Install EPEL repository

yum install epel-release

Install fail2ban

yum install fail2ban

Create the configuration file and modify the bantime to 24 hours

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vi /etc/fail2ban/jail.local

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

Activate /var/log/fail2ban.log file

vi /etc/fail2ban/fail2ban.conf

logtarget = /var/log/fail2ban.log

Configure the ssh-iptables jail

vi /etc/fail2ban/jail.d/sshd.local


enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root,]
logpath  = /var/log/secure
maxretry = 5

Test SSH "failregex"

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

/etc/init.d/fail2ban start

Verify the jail

fail2ban-client status

fail2ban-client status ssh-iptables

Verify iptables

iptables -nvL

Manually unban IP

fail2ban-client set ssh-iptables unbanip

Generating reports

  • Check the number of SSH failed attempts: cat /var/log/secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort -k 1,1 | uniq -c
  • How many times an IP has been banned (Top 10): grep "Ban" /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -rn | head