As I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configurations you will need to do is SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/TCP, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.
Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.
Unfortunately, the RPM that is shipped with CentOS will not work out of the box. Follow these steps:
- Install the EPEL RPM repository
- Install fail2ban by typing yum install fail2ban-server fail2ban-systemd fail2ban-mail fail2ban-sendmail fail2ban-firewalld fail2ban
- Edit the /etc/fail2ban/jail.local with the following content:
[sshd]
enabled = true
port = 22
protocol = tcp
filter = sshd
backend = systemd
action = iptables-allports[name=sshd, protocol=all]
[sshd-ddos]
enabled = true
port = 22
protocol = tcp
filter = sshd-ddos
backend = systemd
action = iptables-allports[name=sshd-ddos, protocol=all]
You are all set. There are some other variables you might want to tune like the ones related to the quarantine time and the number of tries, just read the file /etc/fail2ban/jail.conf and put in the jail.local the new values to overwrite them.
CentOS 8 doesn't have the sshd-ddos filter.
Restart the daemon.
Good Luck!