Fail2Ban: ban every root login attempt

Fail2Ban Sep 12, 2017

If you disabled external root login for ssh, you can ban every root/admin login attempts with fail2ban. These IP's are probably bots trying to break in your server.

What is the reason for this protection?

One very effective security feature is to disable the external root login. If you haven't done this yet, please follow this instruction.

CentOS log all ssh login attempts by default. You can find this file here: /var/log/secure

A few bots are trying to login to your server as root or admin.

This is an abstract of my log:

[...] Did not receive identification string from [...]
[...] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[...] user=root
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2
[...] pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
[...] Failed password for root from [...] port 41776 ssh2

How can I protect my server?

Is this your first time using fail2ban? Please visit my previous post for an installation guide and general instructions.If you already installed fail2ban, you are ready to go.

cd /etc/fail2ban/filter.d

In this directory are all defined filters for fail2ban. You can easily create a new filter:

nano ssh-ban-root.conf

Just Copy&Paste the following code into your new file.

[INCLUDES]
 
before = common.conf
 
[Definition]
 
_daemon = sshd
 
failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$
 
ignoreregex =
 
[Init]
 
maxlines = 10
 
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

We now have to activate the filter.

nano ../jail.local

Just append this at the end of the file.

[ssh-ban-root]
enabled = true
filter = ssh-ban-root
logpath = /var/log/secure
maxretry = 0
bantime = 15770000
# 15770000 sec = 6 months

Feel free to modify maxretry, findtime and bantime.

The last step is to reload the fail2ban configuration.

fail2ban-client reload

This configuration will ban every external root or admin login attempt.

If you want to test this regex on your log files, please visit this post for more information.


Please comment below, if you have any questions.

Tested on:

  • OS: CentOS 7
  • Fail2Ban: 0.9.6

Credits:

Tags

Stefan

Howdy! I'm Stefan and I am the main author of this blog. If you want know more, you can check out the 'About me' page.

Impressum | Data Privacy Policy | Disclaimer
Copyright: The content is copyrighted and may not be reproduced on other websites without permission.