Monday, January 21, 2019


1) rpm -Uvh

If this is already installed, skip this step.

2) yum install fail2ban

3) if any error occur, clean yum and install fail2ban again by executing these command again.

        yum clean all
    yum install fail2ban

4) If fail2ban installation is successfull.

cd /etc/fail2ban/

5) You cannot make any changes to "jail.conf" file. So make a copy of this file as "jail.local"

cp jail.conf jail.local

6) Open this file using any of your editor. I prefer vi editor.

vi jail.local

7) In this file , under ssh-iptables heading, it will be shown like this as below


enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root,]
logpath  = /var/log/secure
maxretry = 5

8) Change enabled parameter of ssh-iptables to true.

Set maxretry parameter to any integer. If any user import incorrect ssh key beyond this limit, ip address of that user will be banned for your server. I have given 5 here.

You can also get mail when any ip get banned by setting "dest" and "sender" parameter for "sendmail-whois".

Give the complete path of the login details log file in logpath parameter.

9) Finally, restart fail2ban.

sudo service fail2ban restart

10) U can verify if ssh fail2ban is successfully started its service by typing this command,

iptables -L

It will show like this if fail2ban ssh is successfullt installed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

11) You can set your ssh fail2ban reg expression.

cd filter.d/
vi sshd.conf

12) Please do include following ssh failregex expression in sshd.conf file.

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: $
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: User exit$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: No supported authentication methods available$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: no authentication methods available$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sConnection closed by <HOST>$

13) You can check all ssh  fail2ban failregex with your previous user login log file :

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

No comments:

Post a Comment

TicTic v2.2 - Android media app for creating and sharing short videos

Facebook Twitter Tiktik – Android app for creating and sharing short videos. The customizable social video application to build ...

Popular Posts