How To Secure SSH with Fail2Ban on Rocky Linux 9

When it comes to securing your Rocky Linux 9 server, one of the essential aspects is protecting your SSH access. Fail2Ban is a powerful tool that can help you achieve this. In this article, we’ll guide you through the process of How To Secure SSH with Fail2Ban on Rocky Linux 9.

Introducing Fail2Ban

Fail2Ban is a robust intrusion prevention tool that acts as a virtual security guard for your server. It works by continuously monitoring your server’s log files and responding to suspicious login attempts. When it detects multiple failed login attempts from the same IP address, it temporarily bans that address, preventing further access. Fail2Ban plays a pivotal role in protecting your server against unauthorized access.

Understanding the Importance of Security

Before we dive into the technical details of SSH security and Fail2Ban, let’s grasp why it’s crucial to fortify your Rocky Linux 8 server against unauthorized access. When unauthorized individuals gain access to your server, they can potentially compromise your data, breach your security, and cause harm to your digital assets. Therefore, setting up security measures is vital.

What is Fail2Ban?

Fail2Ban is a robust intrusion prevention tool that can protect your server by monitoring and reacting to unauthorized login attempts. It scans log files and bans IP addresses that show suspicious activities. This tool acts as a virtual security guard, preventing unauthorized access to your server.

Prerequisites

Before we dive into how to protect and Secure SSH with Fail2Ban on Rocky Linux 9, make sure you have the following:

• An active Rocky Linux 9 server and a regular user with sudo privileges. If you’re unsure about how to create a user with these privileges, feel free to check out our guide on Initial Setup Rocky Linux 9 Server: Secure and Efficient.
• If you’d like to test the ban functionality intentionally, you may also want to have a second server ready to connect to your primary server.

Secure SSH with Fail2Ban

Now that we understand the importance of server security and the role of Fail2Ban, let’s get started with the installation and configuration process.

Step 1: SSH into Your Server

The first step is to SSH into your Rocky Linux 9 server. This requires basic knowledge of working with the command line. If you’re unfamiliar with SSH, don’t worry; we’ll guide you through this process step by step.

To begin, open your terminal and use the following command:

$ ssh your_username@your_server_ip

Replace your_username with your server’s username and your_server_ip with your server’s IP address.

Step 2: Keep Your System Updated

Before proceeding with any installation, it’s essential to ensure your system is up to date. You can do this by running the following commands:

$ sudo dnf -y update

Step 3: Install Fail2Ban

Now, it’s time to install Fail2Ban on your Rocky Linux 9 server. Use the following command:

$ sudo dnf install epel-release
$ sudo dnf install fail2ban

The first command installs the EPEL repository, which contains Fail2Ban, and the second command installs Fail2Ban itself.

After installation, Fail2Ban will automatically establish a background service. Nevertheless, it remains disabled by default due to the possibility of certain default settings causing unintended consequences. You can confirm this status by employing the systemctl command.

$ systemctl status fail2ban.service

Output
○ fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled
     Active: inactive (dead)
       Docs: man:fail2ban(1)

Step 4: Configuration

The fail2ban service keeps its configuration files in the /etc/fail2ban directory. There is a file with defaults called jail.conf. Go to that directory and print the first 20 lines of that file using head -20:

$ cd /etc/fail2ban
$ head -20 jail.conf

Output
#
# WARNING: heavily refactored in 0.9.0 release.  Please review and
#          customize settings for your setup.
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]

As you peruse this file, you’ll notice that the initial lines are commented out, marked with # symbols, indicating they serve as documentation rather than actual settings. Furthermore, these comments advise against direct modifications to this file. Instead, you have two alternatives at your disposal: either fashion individual profiles for Fail2Ban within various files in the jail.d/ directory or compile and store all your local configurations in a jail.local file. The jail.conf file will undergo periodic updates as Fail2Ban receives updates, remaining a source of default settings in cases where you haven’t created any custom overrides.

For this guide, you will be creating the jail.local file. To do so, simply duplicate jail.conf:

$ sudo cp jail.conf jail.local

Now you can begin making configuration changes. Open the file in vi or your favorite text editor:

$ sudo vi jail.local

[DEFAULT]
findtime = 10m
maxretry = 5
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
action = %(action_)s

…
# ban & send an e-mail with whois report to the destemail.
action_mw = %(action_)s
            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(action_)s
             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(action_)s
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
…

This action results in the modification of three settings: it establishes a fresh default ban duration for all services, confirms the utilization of iptables for firewall configuration, and activates the sshd jail.

Step 5: Restart Fail2Ban

After making these adjustments, exit and save the new file. If you’re using nano, simply press Ctrl-X to exit, ‘y’ to save, and then press Enter to confirm the filename. With these changes saved, you can proceed to restart the Fail2Ban service using systemctl.

$ sudo systemctl restart fail2ban

The systemctl command should complete its execution silently. To confirm that the service is up and running, you can employ the fail2ban-client.

$ sudo fail2ban-client status

Output
Status
|- Number of jail:      1
`- Jail list:   sshd

You can also get more detailed information about a specific jail:

$ sudo fail2ban-client status sshd

Output
Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     4
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   103.213.215.89

How Fail2Ban Works

Now that you’ve set up Fail2Ban, let’s understand how it works to secure your Rocky Linux 9 server.

Fail2Ban continuously scans log files, such as /var/log/secure, for suspicious login attempts. When it detects multiple failed login attempts from the same IP address, it temporarily bans that IP address. The banned IP address is prevented from connecting to your server for a predefined duration. This simple yet effective process ensures that unauthorized login attempts are thwarted, enhancing the security of your server.

Additional Security Measures

While Fail2Ban is an excellent tool for securing your Rocky Linux 9 server, it’s always a good practice to implement additional security measures. Here are some suggestions:

1. Use Strong Passwords: Ensure that your server users have strong, unique passwords.
2. Disable Root Login: Disable direct root login and use sudo privileges for administrative tasks.
3. Update Regularly: Keep your system and software up to date to patch known vulnerabilities.
4. Firewall Rules: Implement firewall rules to restrict access to your server.
5. Two-Factor Authentication (2FA): Consider enabling 2FA for SSH access, adding an extra layer of security.

Conclusion

In this comprehensive guide, we’ve walked you through the process of securing your Rocky Linux 9 server with Fail2Ban. We’ve used familiar words and essential transition words to make the setup process easier to understand. By following these steps and implementing additional security measures, you can protect your server from unauthorized access and ensure the safety of your data and resources.

Security is an ongoing process, so be sure to regularly monitor and update your security measures to stay one step ahead of potential threats. Your Rocky Linux 9 server will thank you for it!

Also Read Our Other Guides :

• How To Secure SSH with Fail2Ban on Ubuntu 22.04
• How To Secure SSH with Fail2Ban on Debian 11
• How To Secure SSH with Fail2Ban on CentOS 7

Finally, now you have learned how to protect and Secure SSH with Fail2Ban, bolster your server’s security, and keep your data safe on Rocky Linux 9.