User Rating: 4 / 5

Star Active Star Active Star Active Star Active Star Inactive

As I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configuration you will need to do is the SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/tcp, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.

Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.

Unfortunately, the RPM that is shipped with CentOS will not work out of the box. Follow these steps:

  1. Install the EPEL RPM repository
  2. Install fail2ban by typing yum install fail2ban-server fail2ban-systemd fail2ban-mail fail2ban-sendmail fail2ban-firewalld fail2ban
  3. Edit the /etc/fail2ban/jail.local with the following content:

    enabled = true
    port = 22
    protocol = tcp
    filter = sshd
    backend = systemd
    action = iptables-allports[name=sshd, protocol=all]

    enabled = true
    port = 22
    protocol = tcp
    filter = sshd-ddos
    backend = systemd
    action = iptables-allports[name=sshd-ddos, protocol=all]

You are all set. There are some other variables you might want to tune like the ones related to the quarantine time and the number of tries, just read the file /etc/fail2ban/jail.conf and put in the jail.local the new values to overwrite them.

CentOS 8 doesn't have the sshd-ddos filter.

Restart the daemon.

Good Luck!

blog comments powered by Disqus