CIQ Rocky Linux fail2ban

Chances are pretty good that you use Secure Shell (SSH) to access your instances of Rocky Linux. You might access those servers from within your LAN or from outside the confines of your network. Either way, SSH is the most likely means of connecting remotely. 

Hopefully, you've already taken the initial steps to secure SSH on your Rocky Linux servers, which will go a long way to protecting your servers from unwanted access. There is, however, another step you should take, one that will help protect Rocky Linux from brute-force SSH attacks. That step is installing fail2ban.

Fail2ban prevents unwanted logins by banning suspicious IP addresses from gaining access to your Rocky Linux servers and should be considered one of the first pieces of software you install on new deployments.

Let's get fail2ban installed and configured, so you can rest assured Rocky Linux is better protected from nefarious SSH connections.

What you'll need 

To install fail2ban on Rocky Linux, you'll need a running/updated instance of the OS and a user with sudo privileges. That's it. Let's get this security system up and running.

Enable firewalld

The first thing to be done is enable the firewall, so the fail2ban service can successfully run. To do this, log into Rocky Linux and start/enable firewalld with:

sudo systemctl enable --now firewalld

You can verify firewalld is running with:

systemctl status firewalld

You should see the service listed as active (running), so it's good to go.

Install fail2ban

Because fail2ban isn't found in the standard repositories, you'll have to add the EPEL repository with the command:

sudo dnf install epel-release -y

Once this completes, install fail2ban with:

sudo dnf install fail2ban -y

The above command will pick up the required dependencies, such as fail2ban-firewald and fail2ban-selinux. With the installation complete, start and enable the fail2ban service with:

sudo systemctl enable --now fail2ban

Configure fail2ban

It's time to configure fail2ban. First, copy the jail.conf file and rename it jail.local with the command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next, open the new file for editing with the command:

sudo nano /etc/fail2ban/jail.local

The first thing to do is change some default variables. Look for the following entries:

bantime = 10m
findtime = 10m

Change those entries to:

bantime = 1h
findtime = 1h

Bantime is how long a suspicious host will be banned, and findtime defines the window of time fail2ban will monitor for repeated failed authentication.

Save and close the file.

Make sure fail2ban works with firewalld by renaming the 00-firewalld.conf file with the command:

sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

Restart fail2ban with:

sudo systemctl restart fail2ban

Create your first jail

One crucial aspect of fail2ban is the jail. Above, we created a general jail but now we'll create one specific to the SSH daemon. As we did earlier, we'll configure the system to ban IP addresses for a specific time after a certain number of failed attempts. For this example, you'll create a jail that will ban IP addresses for 1 day after 3 failed attempts.

Create the new jail with the command:

sudo nano /etc/fail2ban/jail.d/sshd.local

Paste the following four lines into the new file:

enabled = true
bantime = 1d
maxretry = 3

Save and close the file and then restart fail2ban once again with:

sudo systemctl restart fail2ban

Hop onto another machine on your network and SSH into the Rocky Linux server, typing the wrong password three times. After the third attempt, the IP address for the machine will be banned for 1 day. Because it's just a test, you can unban the IP address with the command:

sudo fail2ban-client unban ADDRESS

Where ADDRESS is the banned IP address.

You can also view all banned IP addresses for our sshd jail with the command:

sudo fail2ban-client status sshd

The output of the above command should look something like this:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 7
|  `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list:

In this case, IP address has been banned.

Congratulations! You've just helped to secure your Rocky Linux from unwanted SSH connections. 

CIQ, Inc. | Website | + posts

Similar Posts