Thwart Brute-Force SSH Attacks with Fail2Ban

SSH brute force attacks are a common and surprisingly effective way for hackers to get into your machine or network. You are especially vulnerable if you are using insecure passwords. The fail2ban package works with iptables to block ip addresses outright for a set duration after a number of failed login attempts (you also set this number).

How-to Install Fail2Ban on CentOS

Other options you may choose to tweak

  1. Default time IPs are blocked is 600 seconds or 10 minutes, this can be modified in /etc/fail2ban/jail.conf where you can change “bantime = 600″ to whatever value you think is appropriate (in seconds).
  2. Number of failed attempts before blocking an IP is also located in /etc/fail2ban/jail.conf. The default is 3, but you can raise or lower this depending on your requirements. Just change “maxretry = 3″ to whatever value you find appropriate for your environment.
  3. By default messages are logged to SYSLOG and you can grep for them, but you may wish to define your own log. This setting is in /etc/fail2ban/fail2ban.conf and you can change “logtarget = SYSLOG” to “logtarget = /var/log/fail2ban.log” or something, you probably want to setup a logrotate for this if you go this route.