because configuration settings in fail2ban 0.9.0 having been completely re-factored, CentOS7 fail2ban hardening automation now is not safe by merely running an yum install fail2ban.
It will also apparently no longer work if you uncomment the sshd enabled jail in local.conf or jail.conf.
The newer re-factored configuration suggests to use a dedicated file for this to prevent being overwritten as I have now set in my /etc/fail2ban/jail.d/sshd.local[sshd] enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
Do note firewallcmd-ipset needs to be commented out or fail2ban will not start.
Once it has been configured like this, it is happy again. And worked straight away banning my home IP! Whilst before it was quite literally failing to ban :- )
Of course you might need to install it first:
yum install -y epel-release yum install -y fail2ban fail2ban-systemd
You might also want to start fail2ban, and also set it to run on startup:
systemctl enable fail2ban systemctl start fail2ban
If you run selinux, then you’ll need (running this command may have security implications)
yum update selinux-policy*