Installing fail2ban to Protect Rocky Linux from SSH Attacks
Chances are pretty good that you use Secure Shell (SSH) to access your instances of Rocky Linux. You might access those servers from within your LAN or from outside the confines of your network. Either way, SSH is the most likely means of connecting remotely.
Fail2ban prevents unwanted logins by banning suspicious IP addresses from gaining access to your Rocky Linux servers and should be considered one of the first pieces of software you install on new deployments.
Let's get fail2ban installed and configured, so you can rest assured Rocky Linux is better protected from nefarious SSH connections.
What you'll need
To install fail2ban on Rocky Linux, you'll need a running/updated instance of the OS and a user with sudo privileges. That's it. Let's get this security system up and running.
Enable firewalld
The first thing to be done is enable the firewall, so the fail2ban service can successfully run. To do this, log into Rocky Linux and start/enable firewalld with:
sudo systemctl enable --now firewalld
You can verify firewalld is running with:
systemctl status firewalld
You should see the service listed as active (running), so it's good to go.
Install fail2ban
Because fail2ban isn't found in the standard repositories, you'll have to add the EPEL repository with the command:
sudo dnf install epel-release -y
Once this completes, install fail2ban with:
sudo dnf install fail2ban -y
The above command will pick up the required dependencies, such as fail2ban-firewald and fail2ban-selinux. With the installation complete, start and enable the fail2ban service with:
sudo systemctl enable --now fail2ban
Configure fail2ban
It's time to configure fail2ban. First, copy the jail.conf file and rename it jail.local with the command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Next, open the new file for editing with the command:
sudo nano /etc/fail2ban/jail.local
The first thing to do is change some default variables. Look for the following entries:
bantime = 10m
findtime = 10m
Change those entries to:
bantime = 1h
findtime = 1h
Bantime is how long a suspicious host will be banned, and findtime defines the window of time fail2ban will monitor for repeated failed authentication.
Save and close the file.
Make sure fail2ban works with firewalld by renaming the 00-firewalld.conf file with the command:
sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
Restart fail2ban with:
sudo systemctl restart fail2ban
Create your first jail
One crucial aspect of fail2ban is the jail. Above, we created a general jail but now we'll create one specific to the SSH daemon. As we did earlier, we'll configure the system to ban IP addresses for a specific time after a certain number of failed attempts. For this example, you'll create a jail that will ban IP addresses for 1 day after 3 failed attempts.
Create the new jail with the command:
sudo nano /etc/fail2ban/jail.d/sshd.local
Paste the following four lines into the new file:
[sshd]enabled = truebantime = 1dmaxretry = 3
Save and close the file and then restart fail2ban once again with:
sudo systemctl restart fail2ban
Hop onto another machine on your network and SSH into the Rocky Linux server, typing the wrong password three times. After the third attempt, the IP address for the machine will be banned for 1 day. Because it's just a test, you can unban the IP address with the command:
sudo fail2ban-client unban ADDRESS
Where ADDRESS is the banned IP address.
You can also view all banned IP addresses for our sshd jail with the command:
sudo fail2ban-client status sshd
The output of the above command should look something like this:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 7
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 192.168.1.62
In this case, IP address 192.168.1.62 has been banned.
Congratulations! You've just helped to secure your Rocky Linux from unwanted SSH connections.
