Whenever I ssh login to my Linux VPS, I always get this message:
Last failed login: Sat Feb 27 23:26:43 EST 2016 from 220.127.116.11 on ssh:notty
There were 6166 failed login attempts since the last successful login.
Last login: Sun Jan 17 01:41:33 2016 from
There were few hundred of brute force login attempts every day from all over the world trying to hack into my Linux VPS. When you check on the /var/log/secure log, you’ll find lots of similar message like below:
Feb 27 17:34:50 localhost sshd: Failed password for root from 18.104.22.168 port 35161 ssh2
Feb 26 02:59:12 localhost sshd: Failed password for root from 22.214.171.124 port 41115 ssh2
Feb 27 01:12:05 localhost sshd: Failed password for root from 126.96.36.199 port 49786 ssh2
All these attempts are from automated bots or scripts. If I didn’t do anything to protect my Linux VPS, eventually, they might succeed to find out the password.
So, how do I protect my Internet facing server from being hacked?
An open source software named Fail2ban can mitigate this security risk by creating firewall rules that automatically a based on a predefined number of unsuccessful login attempts.
How to install Fail2ban?
First, get the EPEL:
yum install epel-release
Second, install the fail2ban package:
yum install fail2ban
Package Arch Version Repository Size
fail2ban noarch 0.9.3-1.el7 epel 9.7 k
dracut x86_64 033-360.el7_2 updates 311 k
initscripts x86_64 9.49.30-1.el7 base 429 k
Installing for dependencies:
fail2ban-firewalld noarch 0.9.3-1.el7 epel 9.9 k
fail2ban-sendmail noarch 0.9.3-1.el7 epel 13 k
fail2ban-server noarch 0.9.3-1.el7 epel 395 k
ipset x86_64 6.19-4.el7 base 36 k
ipset-libs x86_64 6.19-4.el7 base 46 k
systemd-python x86_64 219-19.el7_2.4 updates 98 k
Updating for dependencies:
dracut-config-rescue x86_64 033-360.el7_2 updates 49 k
dracut-network x86_64 033-360.el7_2 updates 90 k
kmod x86_64 20-5.el7 base 114 k
libgudev1 x86_64 219-19.el7_2.4 updates 65 k
systemd x86_64 219-19.el7_2.4 updates 5.1 M
systemd-libs x86_64 219-19.el7_2.4 updates 357 k
systemd-sysv x86_64 219-19.el7_2.4 updates 52 k
Install 1 Package (+6 Dependent packages)
Upgrade 2 Packages (+7 Dependent packages)
Total download size: 7.2 M
Is this ok [y/d/N]: y
Press y and Enter when prompted to continue.
3. Once the installation has finished, use systemctl to enable the fail2ban service:
For CentOS 7
systemctl enable fail2ban
for CentOS 5/6
service fail2ban start.
In next post, I will explain on the Fail2bad configuration.