That’s going to be your fail2ban config.
I installed fail2ban but there was no jail.conf in the folder, so I wrote cat > jail.conf and this is what I added in it
maxretry = 5
bantime = 300
is there something else I should wrote because I am still able to connect to my machine with SSH using putty
TBH, I haven’t configured fail2ban in a while. The config should look something like this though (TOML):
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
logpath = /var/log/messages
maxretry = 5
findtime = 86400
bantime = 180
What’s the full path of the jail.conf that you made?
Once the config file is formatted properly and in the correct directory, you’ll need to run fail2ban-client start or fail2ban-client reload if it’s already running.
it’s in /etc/fail2ban
are there better alternatives to fail2ban?
This might be useful https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
you could do it with the firewall directly, but thats what fail2ban does anyway, and ive not heard of others that are better. They all do the same thing.
Worth noting, if you need to use fail2ban to block the IPs you trust after failed attempts, then dont use the trusted zone, use another zone for those IP addresses as mentioned before.
1 Like
I don’t need to use fail2ban, but how would I use firewalld to block somebody after 5 failed attempts for 300 seconds?
If you can SSH into the machine, it is using SSHD. AllowUsers will work, but as mentioned fail2ban will give you lockouts for failed login attempts and running a firewall is just good practice regardless of using or not using AllowUsers.
how does it do that? it looks the same as the settings you provided with support for sending emails…
There are some differences.
What distro are you using anyway?
Centos7 64-bit, minimal install with no user interface
Follow the guide on the Fedora wiki. Use yum instead of dnf. I think the rest will translate.
If it’s open to the internet, consider also changing the port. Yes this is security through obscurity but you would be astonished how many times people come in and rattle the doorknob on standard ports. Like, thousands per day. Move it to port 22422 and you drop that to well, usually zero.
oh I’ve already installed fail2ban, was there something else I forgot to install lol
yup I’ll also change the port, would I have to insert the port number in jail.conf “port = ?” or is “port = ssh” fine?
You will need to set the number. When they see “ssh” what programs generally do is look for that text in /etc/services, so it will always map to 22.
I would also setup SSH keys and disable password authentication. At that point you’ll be pretty darn secure against script kiddies and really only vulnerable to spear fishing. But there’s nothing you can do about that.
1 Like
This is why it’s been a while since I configured fail2ban.
You just need to follow the rest of the instructions then.
there were no instructions to follow when I installed fail2ban, besides creating a file called jail.local 
You should be able to use the link I provided earlier
1 Like
I was going to suggest setting internal to port 22 and external to another port… but apparently this is no longer secure, it just complicates things…Maybe you can make a couple groups and set up PAM ?
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.4/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.33/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -j LOG
COMMIT
1 Like