How to install and configure Fail2ban on CentOS 7, CentOS 6.x and Ubuntu 14.04
This is a step-by-step guide to installing and configuring the Fail2ban software on CentOS 7, CentOS 6.x and Ubuntu 14.04 Server. It’s easy to follow and work. Fail2ban basic theory
Since all services exposed to the Internet are vulnerable, hackers and bots may compromise the system. This is a security issue that needs to be avoided, and this is where Fail2ban comes in.
Fail2ban scans services in log files, such as SSH, SMTP, FTP, SIP, Apache, etc., and prohibits IP addresses that show malicious signs, that is, too many passwords fail to seek exploitation. Fail2ban helps you avoid brute-force-like attacks.
Fail2ban works by monitoring logs of common services to discover patterns in authentication failures. After fail2ban is configured to monitor the logs of a service, it will look at the filters for that service. The filter uses complex regular expressions to identify authentication failures, and the regular expression pattern is in a variable named failregex.
jail.conf and jail.local files include [DEFAULT] Section, this section is followed by sections for each service. The DEFAULT part is executed first,
Files in /etc/fail2ban/jail.d/ can overwrite files in jail.conf and jail.local Install Fail2ban on Ubuntu 14.04 server
sudo apt-get update sudo apt-get install fail2ban
Install Fail2ban on CentOS 7 and 6.x Step 1: Log in to the server as the root user.
sudo su -
Either
su -
Step 2: If you are a newly installed CentOS, perform a system update (optional)
yum -y update
Since Fail2ban is not available in the official CentOS repository, we will use the EPEL (Extra Package for Enterprise Linux) repository to install Fail2ban. First add them:
yum -y install epel-release
sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
Step 3: Install Fail2ban
yum --enablerepo=epel install fail2ban fail2ban-systemd
See the screenshot below for the dependencies that will be downloaded.
After successful installation, you should see results similar to the following.
Step 4: If you have SELinux available, update your SELinux policy.
yum update -y selinux-policy*
If you want to disable SELinux, run
sed -i 's/(^SELINUX=).*/SELINUX=disabled/' /etc/selinux/config
Then confirm that it is disabled by typing:
sestatus
You should see the message
SELinux status: disabled
basic configuration.
After the installation is complete, copy the default jail.conf file to create a local configuration file. The default Fail2ban configuration file is stored in /etc/fail2ban/jail.conf. Create a local copy of jail.conf with the following command
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The jail.local file will override the jail.conf file and is used to make your custom configuration updates secure. Step 5: Open the jail.local file for editing. You can use Nano or VIM editor.
nano /etc/fail2ban/jail.local
Either
nano /etc/fail2ban/jail.local
The first part is [ DEFAULT ] In part, it introduces the basic rules that fail2ban will follow.
The DEFAULT setting applies to all sections, and the important parameters specified in the DEFAULT context are: ignoreip: can be an IP address, a CIDR mask or a DNS host. Fail2ban does not ban hosts that match the addresses in this list. This is a space-separated list of IP addresses that cannot be blocked by fail2banmaxretry: the maximum number of failed login attempts before the host is banned by fail2ban.ban.bantime. If a host is found to violate any rules, the host will be banned. The default is 600 seconds = 10 minutes. This is especially useful for banned bots, once banned, they will go directly to the next target protocol: use the default protocol. findtime: If the host generated “maxretry” during the last “findtime”, the host is banned. Set to 600 seconds (10 minutes). Fail2ban.destemail: E-mail addresses banned from receiving banned message alerts will ban clients that attempt to log in 3 times within a 10-minute window
# Email operation parameter sendername: The name of the sender of the alert. Set the value of the “From” field in email.mta: Configure the mail service for sending emails.
Service configuration
Let’s take a closer look at the basic SSH prison files
[sshd] enabled = true port = ssh filter = sshd #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
Description: enabled: This means that Fail2ban is allowed to check the ssh serviceport: service port (referenced in / etc / services file) filter: This refers to the configuration file where fail2ban will use these rules to detect matches. This name corresponds to the file located in “/etc/fail2ban/filter.d”; without the “.conf” extension. For example: “filter = sshd” means “/etc/fail2ban/filter.d/sshd.conf”. The name is a simplified version of the file extension. logpath: refers to the log file that fail2ban uses to check failed login attempts. Action: Tell fail2ban to take steps to ban matching IP addresses. The files referenced here are in “/etc/fail2ban/action.d/” and have the extension “.conf”. For example: “action = iptables” means /etc/fail2ban/action.d/iptables.conf. Step 6: Now, restart the Fail2ban service for the new configuration to take effect.
sudo service fail2ban restart
Step 7: Run the Fail2Ban service
Start and enable Fail2ban and Firewalld
systemctl enable fail2ban systemctl start fail2ban
Start and enable the Firewalld daemon.
systemctl enable firewalld systemctl start firewalld
How to check forbidden IPs by Fail2Ban
iptables -L -n
How to check Fal2Ban prison conditions
sudo fail2ban-client status
Step 8: How to cancel the IP address
fail2ban-client set sshd unbanip IPADDRESS
You can also manually cancel and ban IP addresses using the following command syntax: sudo fail2ban-client set
E.g
sudo fail2ban-client set sshd unbanip 192.168.1.45 sudo fail2ban-client set sshd banip 192.168.1.45
sshd: is the name of the prison, in this case the “sshd” prison we configured in step 4. IPADDRESS: IPs that need to be banned or banned
Use the iptables command to view the rules that fail2ban puts into the IP table:
iptables -L
in conclusion
Fail2Ban consists of a client, server, and configuration file to limit brute force authentication attempts. The server program fail2ban-server is responsible for monitoring log files and issuing ban / unban commands. Fail2ban-client configures it through a simple protocol, which can also read configuration files and issue corresponding configuration commands to the server.
In this tutorial, we introduced the process of installing Fail2ban step by step on CentOS 7 and CentOS 6.x servers. We also studied the basic configuration settings and DEFAULT context parameters. In the next tutorial, we will discuss how to add a prison file to secure SSH, Apache, and other server services.
To get the basic configuration after CentOS server installation, read: