In this tutorial, we'll explain how to protect SSH with Fail2Ban on AlmaLinux 9.
Fail2Ban is a popular security tool used to protect servers from brute-force attacks by monitoring log files and blocking IP addresses that show malicious activity. In this tutorial, we will walk you through the steps to install and configure Fail2Ban on AlmaLinux 9 to enhance the security of your SSH service.
Prerequisites
- A dedicated server or KVM VPS running AlmaLinux 9.
- Root or sudo access to the server.
- Basic knowledge of SSH and Linux command-line operations.
Protect SSH with Fail2Ban on AlmaLinux 9
Step 1: Update Your System
Before installing new software, it’s a good idea to ensure your system is up-to-date. Run the following commands:
sudo dnf update -y
Step 2: Install Fail2Ban
Fail2Ban is available in the default AlmaLinux repositories. Install it using the dnf package manager:
sudo dnf install fail2ban -y
Step 3: Configure Fail2Ban
Fail2Ban’s main configuration file is located at /etc/fail2ban/jail.conf. However, it is recommended to avoid editing this file directly. Instead, you should create a local configuration file to override or add settings.
Create a Local Configuration File:
Create a new file named jail.local in the Fail2Ban configuration directory:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the Local Configuration File:
Open the jail.local file for editing:
sudo nano /etc/fail2ban/jail.local
Find and configure the [sshd] section to customize settings for SSH protection. Ensure the section looks like this:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = systemd
maxretry = 5
bantime = 3600
findtime = 600
- enabled: Set to true to enable protection for SSH.
- port: Specifies the port used by SSH (default is ssh which resolves to port 22).
- logpath: Path to the SSH log file.
- backend: Determines the log monitoring method.
- maxretry: Number of failed login attempts before banning an IP.
- bantime: Duration (in seconds) for which the IP will be banned.
- findtime: Time window (in seconds) to look for failed attempts before taking action.
Save and Exit:
Save the file and exit the editor (Ctrl+X, then Y, and Enter if using nano).
Step 4: Restart and Enable Fail2Ban
To apply the new configuration, restart the Fail2Ban service and enable it to start on boot:
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
Step 5: Verify Fail2Ban Status
Check the status of Fail2Ban to ensure it’s running correctly:
sudo systemctl status fail2ban
You should see that the service is active and running. Additionally, you can verify that Fail2Ban is monitoring SSH by listing the currently active jails:
sudo fail2ban-client status
Output:
Status
|- Number of jail: 1
`- Jail list: sshd
Look for sshd in the list of active jails. You can also check the status of the SSH jail specifically:
sudo fail2ban-client status sshd
Output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 4
| |- Total failed: 24
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 3
`- Banned IP list: 157.230.25.246 164.90.224.212 161.132.48.103
This command will provide details on the number of banned IPs, currently banned IPs, and other statistics.
Step 6: Test Fail2Ban
To ensure Fail2Ban is working correctly, you can test it by simulating failed SSH login attempts from a different machine or using a tool like hydra. Make sure to check the Fail2Ban logs to see if the IP addresses are being banned:
sudo tail -f /var/log/fail2ban.log
Look for log entries indicating that IP addresses have been banned due to failed SSH login attempts.
Conclusion
By following these steps, you have successfully installed and configured Fail2Ban on AlmaLinux 9 to protect your SSH service from brute-force attacks. Fail2Ban adds an important layer of security to your server by blocking malicious IPs and reducing the risk of unauthorized access.
For further customization and advanced configuration, you can explore additional Fail2Ban filters and actions, or consult the official Fail2Ban documentation.