CIQ

Installing fail2ban to Protect Rocky Linux from SSH Attacks

Installing fail2ban to Protect Rocky Linux from SSH Attacks
July 20, 2023

Chances are pretty good that you use Secure Shell (SSH) to access your instances of Rocky Linux. You might access those servers from within your LAN or from outside the confines of your network. Either way, SSH is the most likely means of connecting remotely. 

Fail2ban prevents unwanted logins by banning suspicious IP addresses from gaining access to your Rocky Linux servers and should be considered one of the first pieces of software you install on new deployments.

Let's get fail2ban installed and configured, so you can rest assured Rocky Linux is better protected from nefarious SSH connections.

What you'll need 

To install fail2ban on Rocky Linux, you'll need a running/updated instance of the OS and a user with sudo privileges. That's it. Let's get this security system up and running.

Enable firewalld

The first thing to be done is enable the firewall, so the fail2ban service can successfully run. To do this, log into Rocky Linux and start/enable firewalld with:

sudo systemctl enable --now firewalld

You can verify firewalld is running with:

systemctl status firewalld

You should see the service listed as active (running), so it's good to go.

Install fail2ban

Because fail2ban isn't found in the standard repositories, you'll have to add the EPEL repository with the command:

sudo dnf install epel-release -y

Once this completes, install fail2ban with:

sudo dnf install fail2ban -y

The above command will pick up the required dependencies, such as fail2ban-firewald and fail2ban-selinux. With the installation complete, start and enable the fail2ban service with:

sudo systemctl enable --now fail2ban

Configure fail2ban

It's time to configure fail2ban. First, copy the jail.conf file and rename it jail.local with the command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next, open the new file for editing with the command:

sudo nano /etc/fail2ban/jail.local

The first thing to do is change some default variables. Look for the following entries:

bantime = 10m
findtime = 10m

Change those entries to:

bantime = 1h
findtime = 1h

Bantime is how long a suspicious host will be banned, and findtime defines the window of time fail2ban will monitor for repeated failed authentication.

Save and close the file.

Make sure fail2ban works with firewalld by renaming the 00-firewalld.conf file with the command:

sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

Restart fail2ban with:

sudo systemctl restart fail2ban

Create your first jail

One crucial aspect of fail2ban is the jail. Above, we created a general jail but now we'll create one specific to the SSH daemon. As we did earlier, we'll configure the system to ban IP addresses for a specific time after a certain number of failed attempts. For this example, you'll create a jail that will ban IP addresses for 1 day after 3 failed attempts.

Create the new jail with the command:

sudo nano /etc/fail2ban/jail.d/sshd.local

Paste the following four lines into the new file:

[sshd]enabled = truebantime = 1dmaxretry = 3

Save and close the file and then restart fail2ban once again with:

sudo systemctl restart fail2ban

Hop onto another machine on your network and SSH into the Rocky Linux server, typing the wrong password three times. After the third attempt, the IP address for the machine will be banned for 1 day. Because it's just a test, you can unban the IP address with the command:

sudo fail2ban-client unban ADDRESS

Where ADDRESS is the banned IP address.

You can also view all banned IP addresses for our sshd jail with the command:

sudo fail2ban-client status sshd

The output of the above command should look something like this:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 7
|  `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list: 192.168.1.62

In this case, IP address 192.168.1.62 has been banned.

Congratulations! You've just helped to secure your Rocky Linux from unwanted SSH connections.

Related posts

2023 Holiday Gift Guide for Rocky Linux Users

2023 Holiday Gift Guide for Rocky Linux Users

Dec 19, 2023

Rocky Linux

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Jan 18, 2023

Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

Feb 23, 2023

Rocky Linux

123
52
>>>