This is part of my complete guide to Setting up a CentOS Digital Ocean droplet with Nginx for beginners.
If you just need the commands, here they are. Read on for an explanation of what is happening.
yum install epel-release #if you haven't already yum install fail2ban cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local #more on this below systemctl restart fail2ban.service systemctl enable fail2ban
Most of this information came from this guide on servermom, except the last line that ensures the service starts at boot. Weird.
The important bits are
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`
This copies the default config into a use file that can be edited without getting erased during updates. Standard fare.
systemctl restart fail2ban.service systemctl enable fail2ban
These start the service and configure on-boot startup, respectively.
The config file
The config file has some very reasonable defaults, but they are all commented out at the beginning. It confused me at first that the section at the top--"How to activate jails"-- didn't work if you just uncommented the bits. It doesn't have everythying it needs.
This file works like an
ini file. It has sections denoted by square brackets, like
[DEFAULT] that correspond to a jail. A jail is basically a configuration for how to handle bans. Don't worry too much about this, you only need the
Scroll down until you see this section
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS #
Yours probably has
[DEFAULT] commented out (A line starting with
# is a comment). Uncomment this line (by removing the
#). Then, find the lines starting with
maxretry below it. Make sure they are uncommented as well.
Then scroll way down until you find this section.
# # JAILS # # # SSH servers # [sshd] port = ssh logpath = %(sshd_log)s enable = true
This is the ssh jail, which is our primary concern. Make sure yours is uncommented like the one above. If you have the default ssh port then
port = ssh will work, otherwise you need to replace the
=ssh with your ssh port number.
Once you have your configuration file the way you want it, restart fail2ban with
systemctl restart fail2ban.service