Strong RHEL Linux Defense with fail2ban
Punish those server offenders and take care you won't lock yourself out. You are never too harsh with thugs.
6 minutes to read
/
“There are only two types of companies: those that have been hacked and those that will be” Robert Mueller, FBI Director, 2012
An exposed to Internet server is often being probed. Human or bot attacks are being attempted against it. A nifty piece of software can help you punish those offenders: fail2ban.
Suspicious failed logged attempts have drawn my attention. It was even easier after I installed a GUI tool like cockpit.
All aggressive attempts came from ips located China. Simply paste some of those ip in online geolocators like iplocation.com.
After installing fail2ban and setting a 1h ban the log look much better. Then I increased it to 24h.
16:21
jazio : 3 incorrect password attempts ; TTY=unknown ; PWD=/run/user/1001 ; USER=root ;
15:38
error: kex_exchange_identification: read: Connection reset by peer sshd
15:34
error: maximum authentication attempts exceeded for root from 222.186.180.130 port 63637
14:56
SELinux is preventing php-fpm from name_connect access on the tcp_socket port 443. For complete SELinux messages run: sealert -l 2ab9c6b4-e335-4c11-9c51-e2cdb72ab43c setroubleshoot
12:56
error: kex_exchange_identification: Connection closed by remote host sshd
2
12:52
error: maximum authentication attempts exceeded for root from 222.186.31.83 port 57736
12:08
error: maximum authentication attempts exceeded for root from 49.88.112.113 port 30090
11:50
error: kex_exchange_identification: banner line contains invalid characters sshd
11:49
error: maximum authentication attempts exceeded for root from 222.186.42.137 port 26843
11:11
error: maximum authentication attempts exceeded for root from 222.186.42.213 port 40596
10:39
error: maximum authentication attempts exceeded for root from 222.186.30.76 port 36935
08:51
error: kex_exchange_identification: read: Connection reset by peer sshd
2
08:50
error: maximum authentication attempts exceeded for root from 222.186.30.35 port 12839
06:03
error: maximum authentication attempts exceeded for root from 49.88.112.113 port 41803
05:48
error: kex_exchange_identification: Connection closed by remote host sshd
05:03
error: maximum authentication attempts exceeded for root from 222.186.30.57 port 45245
03:19
error: kex_exchange_identification: read: Connection reset by peer sshd
03:04
error: kex_exchange_identification: Connection closed by remote host sshd
02:59
error: maximum authentication attempts exceeded for root from 222.186.30.112 port 64627
02:46
error: kex_exchange_identification: Connection closed by remote host sshd
2
02:28
error: maximum authentication attempts exceeded for root from 222.186.30.35 port 34291
02:07
error: maximum authentication attempts exceeded for root from 222.186.15.62 port 33054
02:04
error: kex_exchange_identification: read: Connection reset by peer sshd
01:43
Failed to start dnf makecache. systemd
01:42
error: maximum authentication attempts exceeded for root from 222.186.42.213 port 60628
00:14
error: maximum authentication attempts exceeded for root from 222.186.15.115 port 24250
00:10
error: maximum authentication attempts exceeded for root from 222.186.31.166 port 59026
However I was not happy.
“I really hate when it’s mess inside.” Me
First action: disable the root account.
CHECKPOINT: Disable root account
sudo nano /etc/ssh/sshd_config
PermitRootLogin yes | no
PasswordAuthentication yes | no
Now lets’ have fail2ban installed. Easy install. Obey your distro.
dnf install epel-release
dnf install fail2ban
Copy a local configuration to avoid problems upon next updates
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the configuration file jail.local
vi /etc/fail2ban/jail.local
there you paste the following lines:
[DEFAULT]
# List of addresses that will never be banned
ignoreip = 127.0.0.1/8 ::1 103.1.2.3
# if generated a retry in 300 seconds then will ban the ip for 3600 seconds or 1h
bantime = 3600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
[sshd]
enabled = true
Please note 3600 means 3600 seconds, a chastisement timebox of 1 hour.
A more detailed explanation
bantime = 24h
findtime = 300
maxretry = 3
ignoreip: A whitelist of IP addresses that will never be banned. They have a permanent Get Out of Jail Free card. The localhost IP address (127.0.0.1) is in the list by default, along with its IPv6 equivalent (::1).
findtime: The amount of time within which too many failed connection attempts will result in an IP address being banned.
maxretry: The value for “too many failed attempts.
bantime: The duration for which an IP address is banned (the “m” stands for minutes). If you type a value without an “m” or “h” (for hours) it will be treated as seconds.
For 1 day ban consider bantime 24h For a permanent ban consider bantime = -1
Be vigilent: don’t permanently lock yourself out!
The fail2ban contains several configuration files.
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d jail.local paths-common.conf paths-fedora.conf
CHECKPOINT: Make sure your firewall is running
systemctl enable firewalld
systemctl start firewalld
Supervise and maintain fail2ban
Sometimes when performing changes you need to restart fail2ban:
systemctl start fail2ban
systemctl enable fail2ban
systemctl status fail2ban
Find list of IP addresses that have been banned issue:
iptables -L -n
or finding status of failed and banned IP address
sudo fail2ban-client status
sudo fail2ban-client status sshd
In order to remove an IP address from the banned list, run below command. The name “sshd” is the name of the jail, in this case the “sshd” jail that we configured above:
fail2ban-client set sshd unbanip IPADDRESS
See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure | grep 'sshd.*Failed password for' /var/log/secure
Stay safe.