Data Networking Blog
Blog for Admins

Securing SSH with Fail2ban on CentOS


OS: CentOS 6.6 Final Version

I recently came across fail2ban program while i was trying to harden the security of my CentOS Server. Fail2ban allows you to block IP addresses that register too many failed login attempts to your SSH service which indicates a brute force attack. If you allow such attempts on your system then it is possible eventually some one will be able to break in to your system specially if you have not created a secure password.

Let me tell you it may still be possible for someone to break in to your system. We are just ensuring it will be really really hard to do so as we will block any one who tries to guess our password too many times in a given period of time. For more security you can search for ways to permanently block such hosts but just blocking for a temporary period can also increase the overall effort required to crack a password significantly specially if you have a good strong password.

The first thing you will need to get fail2ban on a CentOS system is EPEL (Extra Packages for Enterprise Linux) as fail2ban is not included in CentOS repositories but the actual epel repository can be installed using yum. You can learn more about EPEL here.

Once epel repository is installed you can type the following to install fail2ban.

Note: The first time you install a package from epel it will ask you to save a key. You can safely allow it to do so.

We can now configure fail2ban by editing the configuration file /etc/fail2ban/jail.conf. I am assuming you use vi like me.

There is a lot of information in this file but for now we are only interested in a few configuration directives; mainly the ones mentioned below.

ignoreip – So add the hosts you usually log-in from to ignoreip list separated by a space. This means that fail2ban will not apply these rules to the ip or network you mention here.

bantime – how long do you want to ban the IP addresses for ? Default is 600 seconds which is a good starting point. You can always tweak this if needed.

findtime – fail2ban will ban IP or host if that same host has maxretry attempts during the last findtime. So if someone provides invalid log in information for 3 times in last 600 seconds they get banned for 600 seconds.

maxretry – number of invalid log in attempts before a host is banned. I keep it at 3 but the default is actually 6.

Fail2ban can actually be used for many applications. You will see similar directives for other applications that you don’t use but that is alright as these are not enabled by default. We need to find the section that controls ssh as shown below:

Well the service we are interested in is already enabled as you can see the directve enabled = true so we don’t have to do much except for change the dest and sender email addresses for notifications. Now save and quit the configuration file.

Start the fail2ban service and ideally add it to your start up list.

At this stage ensure you have iptables enabled as fail2ban will use iptables to ban/unban hosts. When I did this I was a bit concerned about my existing iptables rules but fail2ban folks had already thought of that and the program creates it’s own chains to keep the rules separate. All this is configurable.

To verify if fail2ban is working try a few failed logon attempts from a different system. You can check messages logs on CentOS to confirm ban/unban messages.

Which, if all is working, should show you:


I came across a  issue that may be relevant if you have not been able to get it working. Check my post “Troublshooting fail2ban setup” for details.





February 5, 2015 Security Jd

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Font Size
Decrease Size Default Size Increase Size
Select Skin
Select Underlay Background
Select Overlay Background
Scheme Switcher Toggle