Configuring fail2ban to Resist SSH Brute Attacks

As I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configuration you will need to do is the SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/tcp, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.

Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.

Unfortunately, the RPM that is shipped with CentOS will not work out of the box. Follow these steps:

1. Install the EPEL RPM repository
2. Install fail2ban by typing yum install fail2ban-server fail2ban-systemd fail2ban-mail fail2ban-sendmail fail2ban-firewalld fail2ban
3. Edit the /etc/fail2ban/jail.local with the following content:
   

   [sshd]
   enabled = true
   port = 22
   protocol = tcp
   filter = sshd
   backend = systemd
   action = iptables-allports[name=sshd, protocol=all]
   
   [sshd-ddos]
   enabled = true
   port = 22
   protocol = tcp
   filter = sshd-ddos
   backend = systemd
   action = iptables-allports[name=sshd-ddos, protocol=all]

You are all set. There are some other variables you might want to tune like the ones related to the quarantine time and the number of tries, just read the file /etc/fail2ban/jail.conf and put in the jail.local the new values to overwrite them.

CentOS 8 doesn't have the sshd-ddos filter.

Restart the daemon.

Good Luck!