A firewall is a great thing to have but it doesn't do much to protect services that are allowed. A firewall only goes as far as to allow or disallow access. But once access is allowed to a service, its security depends on its configuration and whether or not there are any security vulnerabilities. A service worth installing is fail2ban, which is a neat little tool that runs in the background and watches your logs for anything out of the ordinary, such as multiple failures to access a service. The most popular use of fail2ban is to protect SSH from those attempting to brute force it. In a lot of ways, fail2ban is the successor to denyhosts, which pretty much did the same thing. But fail2ban is able to protect more services than just SSH, another example being Apache.
When fail2ban sees that a source is attempting to access a service and is failing, it will set up a firewall rule on the fly to block that service from your server. To begin, install the fail2ban package on your server. In Debian systems, this is available in the default repositories. CentOS systems will find this package in the epel repository that we've set up in the past. Once installed, enable and start it with systemctl if it isn't already using the following command:
# systemctl start fail2ban # systemctl enable fail2ban
Inside the /etc/fail2ban directory, you should see the main configuration file, jail.conf. It's a good idea to copy this configuration to a local copy, because if you edit jail.conf, it's always possible a package upgrade could overwrite it. The fail2ban service will read jail.local if it finds it and will not overwrite it if it were to be upgraded:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now that we have a local copy, we can now configure it to protect our services. Let's start with SSH. To do so, open /etc/fail2ban/jail.local in a text editor and look for the [ssh] section. On my system, this section looks like this:
[ssh] enabled = true port = 65256 filter = sshd action = iptables[name=SSH, port=65256, protocol=tcp] logpath = /var/log/auth.log maxretry = 6
As you can see, the configuration is fairly self-explanatory. The first line enables the SSH jail, it filters for traffic using sshd, and it looks in /var/log/auth.log for messages related to SSH. Although you've probably already noticed, we need to call out the SSH port in this file. If you stick with port 22, you can leave the relevant portions of the file as they are in your configuration. But if you changed your SSH port to something else, be sure to adjust accordingly. There are two places to place the port for SSH, the first on line three and the second on line five.
Now that we have our configuration in place, we can restart fail2ban in order to start securing SSH for us:
# systemctl restart fail2ban
Take a look at the configuration file for other services that we may want to enable. An example could be Apache for our web server or even NGINX if you have that set up. The default configuration file contains a great deal of examples you can use. To use one, simply change enabled = false to enable = true and then restart fail2ban.