How to install and configure Fail2ban on CentOS 7, CentOS 6.x and Ubuntu 14.04

This is a step-by-step guide to installing and configuring the Fail2ban software on CentOS 7, CentOS 6.x and Ubuntu 14.04 Server. It’s easy to follow and work. Fail2ban basic theory
Since all services exposed to the Internet are vulnerable, hackers and bots may compromise the system. This is a security issue that needs to be avoided, and this is where Fail2ban comes in.
Fail2ban scans services in log files, such as SSH, SMTP, FTP, SIP, Apache, etc., and prohibits IP addresses that show malicious signs, that is, too many passwords fail to seek exploitation. Fail2ban helps you avoid brute-force-like attacks.
Fail2ban works by monitoring logs of common services to discover patterns in authentication failures. After fail2ban is configured to monitor the logs of a service, it will look at the filters for that service. The filter uses complex regular expressions to identify authentication failures, and the regular expression pattern is in a variable named failregex.
jail.conf and jail.local files include [DEFAULT] Section, this section is followed by sections for each service. The DEFAULT part is executed first,
Files in /etc/fail2ban/jail.d/ can overwrite files in jail.conf and jail.local Install Fail2ban on Ubuntu 14.04 server

sudo apt-get update
 sudo apt-get install fail2ban

Install Fail2ban on CentOS 7 and 6.x Step 1: Log in to the server as the root user.

sudo su -

Either

su -

Step 2: If you are a newly installed CentOS, perform a system update (optional)

yum -y update

Since Fail2ban is not available in the official CentOS repository, we will use the EPEL (Extra Package for Enterprise Linux) repository to install Fail2ban. First add them:

yum -y install epel-release 
sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo

Step 3: Install Fail2ban

yum --enablerepo=epel install fail2ban fail2ban-systemd

See the screenshot below for the dependencies that will be downloaded.

After successful installation, you should see results similar to the following.

Step 4: If you have SELinux available, update your SELinux policy.

yum update -y selinux-policy*

If you want to disable SELinux, run

sed -i 's/(^SELINUX=).*/SELINUX=disabled/' /etc/selinux/config

Then confirm that it is disabled by typing:

sestatus

You should see the message

SELinux status: disabled

basic configuration.
After the installation is complete, copy the default jail.conf file to create a local configuration file. The default Fail2ban configuration file is stored in /etc/fail2ban/jail.conf. Create a local copy of jail.conf with the following command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The jail.local file will override the jail.conf file and is used to make your custom configuration updates secure. Step 5: Open the jail.local file for editing. You can use Nano or VIM editor.

nano /etc/fail2ban/jail.local

Either

nano /etc/fail2ban/jail.local

The first part is [ DEFAULT ] In part, it introduces the basic rules that fail2ban will follow.
The DEFAULT setting applies to all sections, and the important parameters specified in the DEFAULT context are: ignoreip: can be an IP address, a CIDR mask or a DNS host. Fail2ban does not ban hosts that match the addresses in this list. This is a space-separated list of IP addresses that cannot be blocked by fail2banmaxretry: the maximum number of failed login attempts before the host is banned by fail2ban.ban.bantime. If a host is found to violate any rules, the host will be banned. The default is 600 seconds = 10 minutes. This is especially useful for banned bots, once banned, they will go directly to the next target protocol: use the default protocol. findtime: If the host generated “maxretry” during the last “findtime”, the host is banned. Set to 600 seconds (10 minutes). Fail2ban.destemail: E-mail addresses banned from receiving banned message alerts will ban clients that attempt to log in 3 times within a 10-minute window
# Email operation parameter sendername: The name of the sender of the alert. Set the value of the “From” field in email.mta: Configure the mail service for sending emails.

Service configuration
Let’s take a closer look at the basic SSH prison files

[sshd]
enabled = true
port = ssh
filter = sshd
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Description: enabled: This means that Fail2ban is allowed to check the ssh serviceport: service port (referenced in / etc / services file) filter: This refers to the configuration file where fail2ban will use these rules to detect matches. This name corresponds to the file located in “/etc/fail2ban/filter.d”; without the “.conf” extension. For example: “filter = sshd” means “/etc/fail2ban/filter.d/sshd.conf”. The name is a simplified version of the file extension. logpath: refers to the log file that fail2ban uses to check failed login attempts. Action: Tell fail2ban to take steps to ban matching IP addresses. The files referenced here are in “/etc/fail2ban/action.d/” and have the extension “.conf”. For example: “action = iptables” means /etc/fail2ban/action.d/iptables.conf. Step 6: Now, restart the Fail2ban service for the new configuration to take effect.

sudo service fail2ban restart

Step 7: Run the Fail2Ban service
Start and enable Fail2ban and Firewalld

systemctl enable fail2ban
systemctl start fail2ban

Start and enable the Firewalld daemon.

systemctl enable firewalld
systemctl start firewalld

How to check forbidden IPs by Fail2Ban

iptables -L -n

How to check Fal2Ban prison conditions

sudo fail2ban-client status

Step 8: How to cancel the IP address

fail2ban-client set sshd unbanip IPADDRESS

You can also manually cancel and ban IP addresses using the following command syntax: sudo fail2ban-client set Banip
E.g

sudo fail2ban-client set sshd unbanip 192.168.1.45
sudo fail2ban-client set sshd banip 192.168.1.45

sshd: is the name of the prison, in this case the “sshd” prison we configured in step 4. IPADDRESS: IPs that need to be banned or banned
Use the iptables command to view the rules that fail2ban puts into the IP table:

iptables -L

in conclusion

Fail2Ban consists of a client, server, and configuration file to limit brute force authentication attempts. The server program fail2ban-server is responsible for monitoring log files and issuing ban / unban commands. Fail2ban-client configures it through a simple protocol, which can also read configuration files and issue corresponding configuration commands to the server.
In this tutorial, we introduced the process of installing Fail2ban step by step on CentOS 7 and CentOS 6.x servers. We also studied the basic configuration settings and DEFAULT context parameters. In the next tutorial, we will discuss how to add a prison file to secure SSH, Apache, and other server services.
To get the basic configuration after CentOS server installation, read:

Main things to do after a fresh installation of CentOS 7 Minimum