• notice
  • Congratulations on the launch of the Sought Tech site

Centos uses fail2ban to defend the server from SSH brute force attacks

fail2ban is a well-known open source framework for intrusion protection on Linux.It monitors the log files of multiple systems (for example: /var/log/secure) and automatically triggers different defense actions based on any suspicious behavior detected. In fact, fail2ban is very useful in defending against brute force password cracking on SSH servers.

1.Environmental inspection

This environment is centos6.8 final 
1.The Python version must be greater than 2.4.3 
2.The firewall iptables must be turned on

Two, install Fail2ban

# yum install -y fail2ban
# chkconfig fail2ban 35 on
  •  

Three, configure Fail2ban

1.Configure jail.conf

# vi /etc/fail2ban/jail.conf

Append the following at the end of the configuration file:

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
#System log directory
logpath = /var/log/secure
##Ignore the specified IP
#ignoreip = 192.168.99.1
##Used to specify which addresses can ignore fail2ban defense
ignoreip = 192.168.99.0/24
##The number of allowed failures of the ssh client
maxretry = 10
##The length of time the host is banned (seconds)
bantime = 604800

2.Modify the rules of iptables

# vi /etc/fail2ban/action.d/iptables-multiport.conf 
Modification: blocktype = REJECT –reject-with icmp-port-unreachable (can be commented out) 
blocktype = DROP

3.Modify the fail2ban log cycle

Modify log records to increase storage time

# vi /etc/logrotate.d/fail2ban
  • 1

The default is to refresh the log file once a day:

/usr/bin/fail2ban-client flushlogs  1>/dev/null || true
  • 1

Change to refresh every 7 days:

/usr/bin/fail2ban-client flushlogs  7>/dev/null || true
  • 1

4.Restart fail2ban:

# /etc/init.d/fail2ban restart
  • 1

According to the above configuration, fail2ban will automatically ban any IP address that has failed more than 10 access attempts in the last 10 minutes. Once banned, this IP address will be banned from accessing the SSH service for a week.

4.Check the status of fail2ban & unlock the IP address

1.Check fail2ban status

Use the parameter'ping' to run the fail2ban-client command. If the fail2ban service is running normally, you can see "Server replied: pong" as a response.

# fail2ban-client ping
Server replied: pong
# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   ssh-iptables
# fail2ban-client status ssh-iptables


Tags

Technical otaku

Sought technology together

Related Topic

1 Comments

author

buy lipitor 80mg pills & lt;a href="https://lipiws.top/"& gt;atorvastatin sale& lt;/a& gt; order atorvastatin 10mg generic

Lbhbhb

2024-03-09

Leave a Reply

+