One way to enhance the security of your VPS or internet-facing home server is to install and configure fail2ban, a tool that monitors logfiles and executes actions, e.g. block the originating IP after x failed login attempts within y minutes from the same IP.
The setup is easy. Here are the steps for CentOS 7:
1. Activate the EPEL repo
# yum install epel-release
2. Install required packages
# yum install fail2ban-server fail2ban-sendmail fail2ban-systemd fail2ban-firewalld python-inotify
/etc/fail2ban/jail.local - this file overrides settings from
[DEFAULT] # set a higher bantime and findtime bantime=1200 findtime=1800 # set max number of attempts maxretry = 5 # set mail receiver destemail = firstname.lastname@example.org sender = email@example.com # enable sending mails, whois and logfile sections by choosing the "action_mwl" template, # see jail.conf for details action = %(action_mwl)s
/etc/fail2ban/jail.d/01-jails.conf and enable the jails you want in it. Preconfigured jails are found in jail.conf, but all of them disabled by default.
[sshd] enabled = true [nginx-http-auth] enabled = true backend = auto [roundcube-auth] enabled = true backend = auto logpath = /path/to/roundcubemail/logs/errors [postfix] enabled = true [dovecot] enabled = true
- CentOS7 beeing a systemd enabled system, we installed fail2ban-systemd package which does nothing else but setting the default backend to systemd in
/etc/fail2ban/jail.d/00-systemd.conf. Some daemons like e.g. nginx do not log to the systemd journal, but to their own logfiles. Set
backend = autofor those services like shown above. This will pick the best available backend. We installed python-inotify, so pyinotify will be used.
- If your server is a VPS hosted on some OpenVZ plattform (like Strato), the kernel might be missing the xt_set module, so IP blocking via ipset won't work. The fail2ban-firewalld package (if you use firewalld) sets the default banaction to "firewallcmd-ipset". You can change it to "firewallcmd-new" in
4. Start and enable fail2ban
# systemctl enable fail2ban # systemctl start fail2ban
Now check /var/log/fail2ban.log for possible errors. If you configured mail delivery, you should have gotten a mail for every started jail already.