Fail2Ban: ban every root login attempt
If you disabled external root login for ssh, you can ban every root/admin login attempts with fail2ban. These IP's are probably bots trying to break in your server.
What is the reason for this protection?
One very effective security feature is to disable the external root login. If you haven't done this yet, please follow this instruction.
CentOS log all ssh login attempts by default. You can find this file here: /var/log/secure
A few bots are trying to login to your server as root or admin.
This is an abstract of my log:
[...] Did not receive identification string from [...]
[...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
How can I protect my server?
Is this your first time using fail2ban? Please visit my previous post for an installation guide and general instructions.If you already installed fail2ban, you are ready to go.
cd /etc/fail2ban/filter.d
In this directory are all defined filters for fail2ban. You can easily create a new filter:
nano ssh-ban-root.conf
Just Copy&Paste the following code into your new file.
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$
ignoreregex =
[Init]
maxlines = 10
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
We now have to activate the filter.
nano ../jail.local
Just append this at the end of the file.
[ssh-ban-root]
enabled = true
filter = ssh-ban-root
logpath = /var/log/secure
maxretry = 0
bantime = 15770000
# 15770000 sec = 6 months
Feel free to modify maxretry
, findtime
and bantime
.
The last step is to reload the fail2ban configuration.
fail2ban-client reload
This configuration will ban every external root or admin login attempt.
If you want to test this regex on your log files, please visit this post for more information.
Please comment below, if you have any questions.
Tested on:
- OS: CentOS 7
- Fail2Ban: 0.9.6
Credits:
- Post photo by Chris Liverani on Unsplash