This is a step by step guide on installing and configuring Fail2ban software on CentOS 7, CentOS 6.x and Ubuntu 14.04 Server. It is easy to follow and working.
Basic Theory on Fail2ban
As all the services exposed to the internet are susceptible to attacks, hackers and bots may compromise to get into the system.This is a security concern that need to be avoided, and this is exactly where Fail2ban comes in.
Fail2ban scans log files for services like SSH,SMTP,FTP,SIP,Apache, e.t.c and bans IP addresses that show the malicious signs i.e. too many password failures that seeks for exploits. Fail2ban helps you avoid attacks like Brute force.
Fail2ban works by monitoring the logs of common services to spot patterns in authentication failures. After fail2ban has been configured to monitor the logs of a service, it looks at a filter for that service.The filter identifies authentication failures by using complex regular expressions, Regular expression patterns are located in a variable called failregex.
> jail.conf and jail.local file contains [DEFAULT] section, sections for individual services follows this section.The DEFAULT section is executed first,
> Files in /etc/fail2ban/jail.d/ can override files in both jail.conf and jail.local
Installing Fail2ban on Ubuntu 14.04 server
sudo apt-get update sudo apt-get install fail2ban
Installing Fail2ban on CentOS 7 and 6.x
Step 1: Login to your server as root user.
sudo su -
Step 2: If you have new installation of CentOS , do system update ( Optional)
yum -y update
Since Fail2ban is not available on CentOS official repository, We’ll use EPEL(Extra Packages for Enterprise Linux) repo to install Fail2ban. Add them first:
[pastacode lang=”bash” message=”” highlight=”” provider=”manual” manual=”yum%20-y%20install%20epel-release%20%0Ased%20-i%20-e%20%22s%2Fenabled%3D1%2Fenabled%3D0%2Fg%22%20%2Fetc%2Fyum.repos.d%2Fepel.repo%0A”/]
[pastacode lang=”bash” message=”” highlight=”” provider=”manual” manual=”yum%20–enablerepo%3Depel%20install%20fail2ban%20fail2ban-systemd%0A”/]
See screenshots below for dependencies that will be downloaded.
After successful installation, you should see results similar to one below.
Step 4: If you have a working SELinux, update SELinux policies.
yum update -y selinux-policy*
If you want to disable SELinux, run
[pastacode lang=”bash” message=”” highlight=”” provider=”manual” manual=”sed%20-i%20’s%2F(%5ESELINUX%3D).*%2FSELINUX%3Ddisabled%2F’%20%2Fetc%2Fselinux%2Fconfig%0A”/]
Then confirm if disabled by typing:
You should see message
SELinux status: disabled
Once the installation is complete, copy the default jail.conf file to make a local configuration file. Default Fail2ban configuration file is kept under /etc/fail2ban/jail.conf.Use the command below to create a local copy of jail.conf
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe.
Step 5: Open the jail.local file for editing. You can use Nano or VIM editor.
The first section is the [ DEFAULT ] section, it covers the basic rules that fail2ban will follow.
The DEFAULT settings apply to all sections and important parameters specified on DEFAULT context are:
ignoreip: Can be an IP address, a CIDR mask or a DNS host. Fail2ban will not ban a host which matches an address in this list.This is a space-separated list of IP addresses that cannot be blocked by fail2ban
maxretry: Maximum number of failed login attempts before a host get banned by fail2ban.
bantime: Time in seconds that a host is banned if it is found to be in violation of any of the rules.. Default is 600 seconds = 10 minutes. This is especially useful in the case of bots, that once banned, will simply move on to the next target
protocol: default protocol being used.
findtime: A host is banned if it has generated “maxretry” during the last “findtime”.The default setting is 600 seconds ( 10 minutes).A client that unsuccessfully attempts to log in 3 times within a 10 minute window will be banned by Fail2ban.
destemail: Email address to receive ban messages alerts
# Email action parameters
sendername: Name of the sender of alerts.
Sets the value of the “From” field in the email.
mta: Configures mail service used to send emails.
Let’s take a closer look at basic SSH jail file
[sshd] enabled = true port = ssh filter = sshd #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
enabled : This means that Fail2ban is allowed to check for ssh service
port: service port ( referred in /etc/services file )
filter: This refers to the config file with the rules that fail2ban will use to detect matche. The name correspond to file located in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’. The name is a shortened version of the file extension.
logpath: Refers to the log file that fail2ban should use to check for failed login attempts.
Action: Tells fail2ban steps to take to ban a matching IP address. The file referred to here is located in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.
Step 6: Now restart Fail2ban service to make the new configuration take effect.
sudo service fail2ban restart
Step 7: Running Fail2Ban service
Start and enable both Fail2ban and Firewalld
systemctl enable fail2ban systemctl start fail2ban
Start and enable Firewalld daemon.
systemctl enable firewalld systemctl start firewalld
How to check for banned IPs by Fail2Ban
iptables -L -n
How to check for Fal2Ban jails Status
sudo fail2ban-client status
Step 8: How to Unban an IP address
fail2ban-client set sshd unbanip IPADDRESS
You can also unban and ban ip address manually using below command syntax:
sudo fail2ban-client set <jail> banip/unbanip <ip address>
sudo fail2ban-client set sshd unbanip 192.168.1.45 sudo fail2ban-client set sshd banip 192.168.1.45
sshd: Is the name of the jail, in this case the “sshd” jail that we configured in step 4.
IPADDRESS: IP which needs to be unbanned or banned
Use iptables command to see the rules that fail2ban puts in IP table:
Fail2Ban consists of a client, server and configuration files to limit brute force authentication attempts.The server program fail2ban-server is responsible for monitoring log files and issuing ban/unban commands. It gets configured through a simple protocol by fail2ban-client, which can also read configuration files and issue corresponding configuration commands to the server.
In this tutorial we covered step by step installation of Fail2ban on CentOS 7 and CentOS 6.x server. We also looked at basic configuration settings and DEFAULT context parameter. In our next tutorial, we’ll talk about how to Add a jail file to protect SSH, Apache and Other Server services.
To get basic configurations after CentOS server installation read: