In this guide we shall discuss how to install and configure Fail2ban on Centos 8 | RHEL 8. Fail2ban is an open-source intrusion detection and prevention tool that scans for malicious IP addresses in the access logs which show signs of multiple failed password login attempts. The tool then bans the IPs by updating firewall rules to reject the IP addresses.
Fail2ban can be used to protect different services on a Linux system including sshd, wordpress access, postfix etc.
Install Fail2ban on CentOS 8 | RHEL 8
You have to install EPEL repository on your CentOS/RHEL 8 system to get the Fail2ban package.
sudo dnf -y install epel-release
Install Fail2ban package:
sudo dnf -y install fail2ban
Start and enable Fail2ban
sudo systemctl start fail2ban sudo systemctl enable fail2ban
Configure Fail2ban on CentOS 8 | RHEL 8
After a successful installation, the next step is to configure fail2ban.
Fail2ban configuration files reside in the
The main configuration file is
/etc/fail2ban/jail.conf. The filters are stored in
It is not recommended to make any changes to the
jail.conf file as the configuration will be overwritten by those in files in *.local.
So the best practice is creating a separate file, jail.local that will contain our configurations.
Let’s configure some defaults in the
sudo vi /etc/fail2ban/jail.local
Add the following parameters:
[DEFAULT] bantime = 21600 findtime = 300 maxretry = 3 banaction = iptables-multiport backend = systemd banaction_allports = iptables-allports
A brief description of the above parameters:
- Bantime – The amount of time the IP will be banned in seconds
- maxretry – the number of retries before a host is banned
- Findtime – fail2ban bans the host if it has generated “maxretry” in the last “findtime” seconds.
- banaction – the type of ban action to be implemented
- ignoreip – You can specify the IP addresses that will be ignored by fail2ban
- backend – the backend used to get log file modification.
- Banaction_allports – Fail2ban blocks the remote IP on every port
Configuring Jails to secure SSH, Postfix and Dovecot
In this section we shall look at how to configure Fail2ban jails for SSH, Postfix and dovecot.
/etc/fail2ban/jail.local file, add parameters for the services you wish to enable.
For SSH :
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log
For Postfix :
[postfix] enabled = true port = smtp,465,submission
[dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve
[postfix-sasl] enabled = true port = smtp,465,submission,imap,imaps,pop3,pop3s
In the above configuration, the following attributes have been used:
- Enabled – can be set to true or false to enable/disable the filter.
- Port – the port on which the service is running. You can use the names of the service if the ports being used are the default ones, otherwise you need to explicitly specify the port number
- Filter – The name of the filter file located in /etc/fail2ban/filter.d/ directory which contains the fileregex information used to parse logs.
- Logpath – The path to the service’s logs
Using Fail2ban client
Fail2ban-client is the command line tool that is used to run Fail2ban from the shell.
The general usage is
Below is a list of Fail2ban-client commands:
start: used to start fail2ban server and jails
reload: used to reload Fail2ban configuration
stop: stops the server
status: Used to check the status of the server and enable jails
status JAIL: Shows the status of the jails and the currently banned IPs
- Fail2ban-client status
$ sudo fail2ban-client status Status |- Number of jail: 6 `- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth
2. Fail2ban-client status sshd
$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 22 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 4 `- Banned IP list:
3. Banned IPs:
To remove an IP from a jail, you can do so by the following command:
$ sudo fail2ban-client set <jailname> unbanip <IP>
$ sudo fail2ban-client set sshd unbanip 192.168.100.12
In the above example, we have removed IP 192.168.100.12 from sshd jail.
We have gone through a guide on how to setup Fail2ban on CentOS/RHEL 8. The tool is useful for intrusion detection and prevention of attacks such as brute force on a RHEL/CentOS 8 system.
Check out other related articles from our website;