Just a quick dirty way to block sshd and then I’d sort of wp scans and the like.
To install, it’s part of epel just yum it
yum install fail2ban
Can’t remember now, but I think I had to copy jail.conf to jail.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edited /etc/fail2ban/jail.local with the following:
[sshd]
enabled = true
maxretry = 3
bantime = 86400
Restarted and enabled:
systemctl start fail2ban
systemctl enable fail2ban
I’m not actually sure how this is actually working given I’m using firewalld rather than iptables
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 20
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 4
|- Total banned: 9
`- Banned IP list: 5.8.66.90 62.210.220.109 195.154.107.130 159.122.26.20
Need to get to know firewalld better…
# ipset --list
Name: fail2ban-sshd
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 86400
Size in memory: 17040
References: 1
Members:
5.8.66.90 timeout 12459
195.154.107.130 timeout 47274
159.122.26.20 timeout 72749
62.210.220.109 timeout 15303