fail2ban is one of those magical programs that, in my experience, just works. I’ve inherited many systems with a working fail2ban configuration, and therefore I didn’t know much about configuring it or troubleshooting it.<\/p>\n
Summary: by default, fail2ban on CentOS 7 does absolutely nothing!<\/strong><\/p>\n One of the things that it is reported (falsely!) to do out-of-the-box is to block repeated SSH login failures. According to Protecting SSH with Fail2ban<\/a>:<\/p>\n Fail2ban should now protect SSH out of the box. If Fail2ban notices six failed login attempts in the last ten minutes, then it blocks that IP for ten minutes.<\/p><\/blockquote>\n I wanted to test this, so I set up 2 virtual machines, a victim<\/em> and an attacker<\/em>.<\/p>\n On the victim<\/em> VM: On the attacker<\/em> VM: And then I waited. And waited. And waited.<\/p>\n I confirmed that the defaults described matched what was in my In my test, I definitely exceeded that: about 30 failed attempts in 5 minutes. The failures appear in
\n[ariel]# sudo yum install epel-release
\n[ariel]# sudo yum install fail2ban
\n[ariel]# sudo systemctl start fail2ban
\n[ariel]# sudo tail -f \/var\/log\/fail2ban<\/code><\/p>\n
\n[caliban]# sudo yum install epel-release
\n[caliban]# sudo yum install sshpass
\n[caliban]# for i in `seq 1 100`; do sshpass -p 'TopSecret!' admin@ariel; done<\/code><\/p>\n\/etc\/fail2ban\/jails.conf<\/code> (excerpted):
\nbantime = 600
\nfindtime = 600
\nmaxretry = 5<\/code><\/p>\n\/var\/log\/secure<\/code>, but nothing appears in \/var\/log\/fail2ban.log<\/code>!<\/p>\n