How to install and configure Fail2Ban on CentOS 8 and Fedora 33
Fail2Ban is a log parsing utility that scans the log files of various processes and bans IP addresses, and these IP addresses will cause too many password failures. After finding an attempt to log in, Fail2Ban will add new rules to iptables to temporarily or permanently block the attacker’s IP address. It can also remind you via email.
It mainly focuses on detecting intrusions via SSH, but it can be configured to work with any service that uses log files.
Fedora 33 or CentOS 8 based server with non-root user with non-sudo privileges.
Install the Nano editor, because this is what we want to use.
$ sudo dnf install nano -y
To install Fail2Ban on CentOS 8, you need to install EPEL Yum repository first.
$ sudo dnf install epel-release
Fedora 33 comes with Fail2Ban.
Run the following command to install Fail2Ban on Fedora 33 and CentOS 8.
$ sudo dnf install fail2ban
After installation, we need to enable the service.
$ sudo systemctl enable fail2ban
Next, start the fail2ban service.
$ sudo systemctl start fail2ban
Now you can check the status of the service to see if it is operating normally.
$ sudo systemctl status fail2ban ? fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-11-02 21:15:59 UTC; 5s ago Docs: man:fail2ban(1) Process: 19031 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 19032 (f2b/server) Tasks: 3 (limit: 1125) Memory: 11.0M CPU: 96ms CGroup: /system.slice/fail2ban.service ??19032 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start Nov 02 21:15:59 howtoforge-tutorial systemd: Starting Fail2Ban Service... Nov 02 21:15:59 howtoforge-tutorial systemd: Started Fail2Ban Service. Nov 02 21:15:59 howtoforge-tutorial fail2ban-server: Server ready
The Fail2Ban service keeps its configuration file in
/etc/fail2ban table of Contents.You will encounter a file
jail.conf inside. This file is usually overwritten during the package upgrade process, so it should not be edited.
Instead, all configuration should be done in a new file, which we will call
jail.local.The settings in these 2 files can be passed from
/etc/fail2ban/jail.d/ table of Contents.
The configuration is applied in the following order:
etc/fail2ban/jail.d/*.conf, In alphabetical order
/etc/fail2ban/jail.d/*.local, In alphabetical order
jail.conf Contains a
[DEFAULT] Part, and then parts of each service.Any of these parts can be overridden by defining in the following locations
We will create a fresh
$ sudo nano /etc/fail2ban/jail.local
Paste the following code into it.
[DEFAULT] # Ban hosts for one hour: bantime = 3600 # Override backend=auto in /etc/fail2ban/jail.conf backend = systemd [sshd] enabled = true
press Ctrl + X Close the editor and press ÿ When prompted to save the file.This sets a new default value
bantime For all services, change the backend to
systemd And enable
Restart Fail2ban to implement the new changes.
$ sudo systemctl restart fail2ban
We can use the settings to confirm the new application
$ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
We can also specifically obtain the detailed status of each prison in the following ways.
$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
jail.conf Provides more settings, you can use
/jail.local file. Next, we will discuss some settings.
You can use the following code to whitelist/ignore IP so that it is not blocked by Fail2ban.
[DEFAULT] ignoreip = 127.0.0.1/8 188.8.131.52
If you only want to whitelist the IPs of certain prisons, you can pass
$ sudo fail2ban-client set JAIL addignoreip 184.108.40.206
JAIL In the command with the prison name above, you want to edit its settings.
Ban time and number of retries
There are 3 settings to set the retry time and number of bans.
bantime -Is the length of time (in seconds) that the IP is banned. To set a permanent ban, set this value to a negative number. The default value is 10 minutes or 600 seconds.
findtime -Is the length of time between two login attempts before setting the ban. This value is always the number of seconds.For example, if Fail2ban is set to ban IP after 5 failed login attempts, these 5 attempts must occur within the set 10 minutes
bantime Extreme advertising
maxretry -Is the number of retries from a single IP address before the prohibition is implemented. The default value is 3.
To customize these settings, paste the following line into
etcfail2banjail.local File in
bantime = 3600 findtime = 300 maxretry = 4
To send email alerts, you need to install a mail transfer agent (MTA) first.For our purposes, we will install
$ sudo dnf install sendmail
To receive emails, please add the following code in
etcfail2banjail.local File under
destemail = [email protected] sendername = Fail2Ban mta = sendmail action = %(action_mw)s
destemail Refers to the target email ID, which is the ID in which you want to receive mail,
sendername Refers to the name of the sender, so we use Fail2Ban.
mta Refers to the mail transfer agent being used
sendmail Here.If you are using
PostfixAnd then use the value
action Refers to the default action taken once an intrusion is detected.The default value is
%(action_)s Only ban this user.
%(action_mw)s E-mails containing Whois reports will be prohibited and sent; and
%(action_mwl)s E-mails will be banned and sent containing information from the Whois report and related log files. It can also be changed according to the prison situation.
The settings of each prison
We already know
[DEFAULT] Part of it applies to all Jails, it’s time to study some specific Jails and their settings.
We have defined
[sshd] Before us
jail.local file. We can customize it more with the following code.
[sshd] enabled = true port = ssh logpath = %(ssh_log)s
In this case, we are using predefined variables
ssh This port is the default SSH port. If you use another SSH port, you should change it.
logpath Refers to the location of the log file to be monitored.
%(ssh_log)s Use the value defined in the Fail2ban standard configuration file (
Nginx has several Jails that can be used in Fail2Ban.For example, if the password-protected part of your website has been repeatedly attacked, you can use
jail.local The document.
[nginx-http-auth] enabled = true
We can also add a file called
[nginx-botsearch] Stop requests for folders or locations that do not exist.
[nginx-badbots] enabled = true
There are other Nginx prisons, but Fail2Ban is not pre-configured. They need to be created manually, and most of them can be based on Apache that comes with Fail2Ban.
Fail2Ban filter and Failregexs
There is another setting in the Fail2Ban configuration called a filter. The filter determines whether a line in the log file indicates an authentication failure.
The filter value in the configuration file is
/etc/fail2ban/filter.d Catalog and
.conf The extension has been removed.
You can check the catalog to see the available filters.
$ ls /etc/fail2ban/filter.d
You will see 2 Nginx log files in it;
These configuration files use regular expressions (regex) to parse log files. These are called Failregexs. You can customize or create new filters by writing your own regular expressions. We will not discuss these regular expressions in depth, because they are beyond the scope of this tutorial.
Monitor Fail2Ban logs and firewall
You can check the status of Fail2Ban using the following methods:
systemctl As mentioned earlier.
$ sudo systemctl status fail2ban
To learn more details, you can use
$ sudo journalctl -b -u fail2ban
You can also use
fail2ban-client Check status
fail2ban-server Or personal imprisonment.
$ sudo fail2ban-client status $ sudo fail2ban-client status jail_name
You can also query the log file of Fail2ban.
$ sudo tail -F /var/log/fail2ban.log
You can list the current rules configured for iptables.
$ sudo iptables -L
You can also list iptables rules in a format that reflects the commands required to enable these rules.
$ sudo iptables -S
At this point, our tutorial ends the tutorial on installing and configuring Fail2Ban on Fedora 33 or CentOS 8 based servers. If you have any questions, please post in the comments below.