fail2ban is one of those magical programs that, in my experience, just works. I’ve inherited many systems with a working fail2ban configuration, and therefore I didn’t know much about configuring it or troubleshooting it.
Summary: by default, fail2ban on CentOS 7 does absolutely nothing!
One of the things that it is reported (falsely!) to do out-of-the-box is to block repeated SSH login failures. According to Protecting SSH with Fail2ban:
Fail2ban should now protect SSH out of the box. If Fail2ban notices six failed login attempts in the last ten minutes, then it blocks that IP for ten minutes.
I wanted to test this, so I set up 2 virtual machines, a victim and an attacker.
On the victim VM:
[ariel]# sudo yum install epel-release
[ariel]# sudo yum install fail2ban
[ariel]# sudo systemctl start fail2ban
[ariel]# sudo tail -f /var/log/fail2ban
On the attacker VM:
[caliban]# sudo yum install epel-release
[caliban]# sudo yum install sshpass
[caliban]# for i in `seq 1 100`; do sshpass -p 'TopSecret!' admin@ariel; done
And then I waited. And waited. And waited.
I confirmed that the defaults described matched what was in my /etc/fail2ban/jails.conf
(excerpted):
bantime = 600
findtime = 600
maxretry = 5
In my test, I definitely exceeded that: about 30 failed attempts in 5 minutes. The failures appear in /var/log/secure
, but nothing appears in /var/log/fail2ban.log
!
From How To Protect SSH With Fail2Ban on CentOS 7 I found the fail2ban-client status
command:
[ariel]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
Zero jails! That’s definitely a problem.
As mentioned in the above, I created a file, /etc/fail2ban/jail.local
containing the following:
[sshd]
enabled = true
New results:
[ariel]# systemctl restart fail2ban
[ariel]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
That looks better! /var/log/fail2ban.log
now has new entries, and the attacker IP address has been banned! Just to confirm I tried to SSH to the machine from the attacker:
[caliban]# ssh admin@ariel
ssh_exchange_identification: Connection closed by remote host
Great! Exactly what I expected to happen.
When I look at the /etc/fail2ban/jails.conf
, I do not see enabled = true
under the [sshd]
section. In fact, part of that file explains that all jails are disabled by default:
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
On CentOS 7, fail2ban is configured to work with firewalld. My next post describes using fail2ban with iptables on CentOS 7.
I just tested this on a Debian 9 install and found that, once you install fail2ban (i.e.
sudo apt-get install fail2ban
):/etc/fail2ban/jail.d/defaults-debian.conf
)I had been using primarily Debian previously, so that’s why it just magically worked for me in my experience. I think the Debian defaults are much more sane than the CentOS defaults.