Fail2ban

Install Fail2ban

Fail2ban is not in the base Rocky/Alma repos. You must enable EPEL first.

Enable EPEL:

sudo dnf install epel-release

Install Fail2ban:

sudo dnf install fail2ban

Enable and start the service:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check service status:

sudo systemctl status fail2ban

Never edit /etc/fail2ban/jail.conf. Create your own file:

sudo vim /etc/fail2ban/jail.local

Example config:

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
backend = systemd

[sshd]
enabled = true
port = PORT
logpath = /var/log/secure

Save, restart and check service status:

sudo systemctl restart fail2ban
sudo systemctl status fail2ban

Fail2ban cannot detect failed publickey attempts unless SSH logs them.

Edit SSH config:

sudo vim /etc/ssh/sshd_config

Uncomment and change LogLevel INFO to LogLevel VERBOSE

Restart SSH:

sudo systemctl restart sshd

Now SSH will log ex.:

Failed publickey for USER from X.X.X.X
Invalid user USER from X.X.X.X

Fail2ban can detect these.

Generate bad key on other machine:

ssh-keygen -t ed25519 -f ~/.ssh/bad_test -N ""

Watch SSH logs in real time (Server):

sudo journalctl -u sshd -f --no-pager

Try to connect from other machine to Server:

ssh -i ~/.ssh/bad_test -p PORT USER@SERVER_IP

After enough attempts, Fail2ban will ban other machine IP.

Check Fail2ban status:

sudo fail2ban-client status sshd