How to install and configure Fail2Ban on CentOS 8 and Fedora 33

How to install and configure Fail2Ban on CentOS 8 and Fedora 33

Fail2Ban is a log parsing utility that scans the log files of various processes and bans IP addresses, and these IP addresses will cause too many password failures. After finding an attempt to log in, Fail2Ban will add new rules to iptables to temporarily or permanently block the attacker’s IP address. It can also remind you via email.

It mainly focuses on detecting intrusions via SSH, but it can be configured to work with any service that uses log files.

prerequisites

  1. Fedora 33 or CentOS 8 based server with non-root user with non-sudo privileges.

  2. Install the Nano editor, because this is what we want to use.

    $ sudo dnf install nano -y
    

Install Fail2Ban

To install Fail2Ban on CentOS 8, you need to install EPEL Yum repository first.

$ sudo dnf install epel-release

Fedora 33 comes with Fail2Ban.

Run the following command to install Fail2Ban on Fedora 33 and CentOS 8.

$ sudo dnf install fail2ban

After installation, we need to enable the service.

$ sudo systemctl enable fail2ban

Next, start the fail2ban service.

$ sudo systemctl start fail2ban

Now you can check the status of the service to see if it is operating normally.

$ sudo systemctl status fail2ban
? fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2020-11-02 21:15:59 UTC; 5s ago
       Docs: man:fail2ban(1)
    Process: 19031 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 19032 (f2b/server)
      Tasks: 3 (limit: 1125)
     Memory: 11.0M
        CPU: 96ms
     CGroup: /system.slice/fail2ban.service
             ??19032 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start

Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Starting Fail2Ban Service...
Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Started Fail2Ban Service.
Nov 02 21:15:59 howtoforge-tutorial fail2ban-server[19032]: Server ready

Configure Fail2Ban

The Fail2Ban service keeps its configuration file in /etc/fail2ban table of Contents.You will encounter a file jail.conf inside. This file is usually overwritten during the package upgrade process, so it should not be edited.

Instead, all configuration should be done in a new file, which we will call jail.local.The settings in these 2 files can be passed from /etc/fail2ban/jail.d/ table of Contents.

The configuration is applied in the following order:

  1. /etc/fail2ban/jail.conf
  2. etc/fail2ban/jail.d/*.conf, In alphabetical order
  3. /etc/fail2ban/jail.local
  4. /etc/fail2ban/jail.d/*.local, In alphabetical order

jail.conf Contains a [DEFAULT] Part, and then parts of each service.Any of these parts can be overridden by defining in the following locations .local file.

Configure jail.local

We will create a fresh jail.local file.

$ sudo nano /etc/fail2ban/jail.local

Paste the following code into it.

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override backend=auto in /etc/fail2ban/jail.conf
backend = systemd

[sshd]
enabled = true

press Ctrl + X Close the editor and press ÿ When prompted to save the file.This sets a new default value bantime For all services, change the backend to systemd And enable `sshd prison.

Restart Fail2ban to implement the new changes.

$ sudo systemctl restart fail2ban

We can use the settings to confirm the new application fail2ban-client utility.

$ sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

We can also specifically obtain the detailed status of each prison in the following ways.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

More settings

jail.conf Provides more settings, you can use /jail.local file. Next, we will discuss some settings.

Whitelist IP

You can use the following code to whitelist/ignore IP so that it is not blocked by Fail2ban​​.

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89

If you only want to whitelist the IPs of certain prisons, you can pass fail2ban-client.

$ sudo fail2ban-client set JAIL addignoreip 123.45.67.89

replace JAIL In the command with the prison name above, you want to edit its settings.

Ban time and number of retries

There are 3 settings to set the retry time and number of bans.

bantime -Is the length of time (in seconds) that the IP is banned. To set a permanent ban, set this value to a negative number. The default value is 10 minutes or 600 seconds.

findtime -Is the length of time between two login attempts before setting the ban. This value is always the number of seconds.For example, if Fail2ban is set to ban IP after 5 failed login attempts, these 5 attempts must occur within the set 10 minutes bantime Extreme advertising

maxretry -Is the number of retries from a single IP address before the prohibition is implemented. The default value is 3.

To customize these settings, paste the following line into etcfail2banjail.local File in [DEFAULT] section.

bantime = 3600
findtime = 300
maxretry = 4

Email reminder

To send email alerts, you need to install a mail transfer agent (MTA) first.For our purposes, we will install sendmail.

$ sudo dnf install sendmail

To receive emails, please add the following code in etcfail2banjail.local File under [DEFAULT] section.

destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
action = %(action_mw)s

destemail Refers to the target email ID, which is the ID in which you want to receive mail, sendername Refers to the name of the sender, so we use Fail2Ban. mta Refers to the mail transfer agent being used sendmail Here.If you are using PostfixAnd then use the value mail in order to mta variable.

action Refers to the default action taken once an intrusion is detected.The default value is %(action_)s Only ban this user. %(action_mw)s E-mails containing Whois reports will be prohibited and sent; and %(action_mwl)s E-mails will be banned and sent containing information from the Whois report and related log files. It can also be changed according to the prison situation.

The settings of each prison

We already know [DEFAULT] Part of it applies to all Jails, it’s time to study some specific Jails and their settings.

SSHD prison

We have defined [sshd] Before us jail.local file. We can customize it more with the following code.

[sshd]

enabled = true
port = ssh
logpath = %(ssh_log)s

In this case, we are using predefined variables ssh This port is the default SSH port. If you use another SSH port, you should change it. logpath Refers to the location of the log file to be monitored. %(ssh_log)s Use the value defined in the Fail2ban standard configuration file (/etc/fail2ban/paths-common.conf).

Nginx prison

Nginx has several Jails that can be used in Fail2Ban.For example, if the password-protected part of your website has been repeatedly attacked, you can use [nginx-http-auth] in jail.local The document.

[nginx-http-auth]
enabled = true

We can also add a file called [nginx-botsearch] Stop requests for folders or locations that do not exist.

[nginx-badbots]
enabled  = true

There are other Nginx prisons, but Fail2Ban is not pre-configured. They need to be created manually, and most of them can be based on Apache that comes with Fail2Ban.

Fail2Ban filter and Failregexs

There is another setting in the Fail2Ban configuration called a filter. The filter determines whether a line in the log file indicates an authentication failure.

The filter value in the configuration file is /etc/fail2ban/filter.d Catalog and .conf The extension has been removed.

You can check the catalog to see the available filters.

$ ls /etc/fail2ban/filter.d

You will see 2 Nginx log files in it; nginx-badbots.conf with nginx-http-auth.conf.

These configuration files use regular expressions (regex) to parse log files. These are called Failregexs. You can customize or create new filters by writing your own regular expressions. We will not discuss these regular expressions in depth, because they are beyond the scope of this tutorial.

Monitor Fail2Ban logs and firewall

You can check the status of Fail2Ban using the following methods: systemctl As mentioned earlier.

$ sudo systemctl status fail2ban

To learn more details, you can use journalctl command.

$ sudo journalctl -b -u fail2ban

You can also use fail2ban-client Check status fail2ban-server Or personal imprisonment.

$ sudo fail2ban-client status
$ sudo fail2ban-client status jail_name

You can also query the log file of Fail2ban.

$ sudo tail -F /var/log/fail2ban.log

You can list the current rules configured for iptables.

$ sudo iptables -L

You can also list iptables rules in a format that reflects the commands required to enable these rules.

$ sudo iptables -S

in conclusion

At this point, our tutorial ends the tutorial on installing and configuring Fail2Ban on Fedora 33 or CentOS 8 based servers. If you have any questions, please post in the comments below.

Sidebar