Install and configure Fail2ban on CentOS 8 | RHEL 8

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

In this guide, we will discuss how to install and configure Fail2ban on Centos 8. RHEL8. Fail2ban is an open source intrusion detection and defense tool that can scan for malicious IP addresses in the access log. The malicious IP addresses show signs of multiple failed password login attempts. Then, the tool bans IP by updating firewall rules to deny IP addresses.

Fail2ban can be used to protect different services on Linux systems, including sshd, wordpress access, postfix, etc.

Install Fail2ban on CentOS 8 | RHEL 8

You must install EPEL repository on CentOS/RHEL 8 system to get Fail2ban package.

sudo dnf -y install epel-release

Install the Fail2ban package:

sudo dnf -y install fail2ban

Start and enable Fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configure Fail2ban on CentOS 8 | RHEL 8

After successful installation, the next step is to configure fail2ban.

The Fail2ban configuration file resides in /etc/fail2ban/ table of Contents.

The main configuration file is /etc/fail2ban/jail.conf.The filter is stored in /etc/fail2ban/filter.d/ table of Contents.

Not recommended right jail.conf File because the configuration will be overwritten by the file in the following file *.local.

Therefore, the best practice is to create a separate file, Local prison Will contain our configuration.

Let us in /etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local

Add the following parameters:

[DEFAULT]
bantime  = 21600
findtime  = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
banaction_allports = iptables-allports

A brief description of the above parameters:

Ban time – IP banned time (in seconds)
Biggest attempt -The number of retries before banning the host
Find time -Fail2ban prohibits host generation”Biggest attempt” At the end”Find time“second.
ban -Type of injunction action to be taken
ignoreip –You can specify the IP addresses that fail2ban will ignore
rear end -Used to modify the back end of the log file.
Banaction_allports -Fail2ban blocks remote IP on each port

Configure Jails to protect SSH, Postfix and Dovecot

In this section, we will study how to configure Fail2ban prison for SSH, Postfix and dovecot.

inside /etc/fail2ban/jail.local File, add parameters for the service you want to enable.

For SSH:

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log

For Postfix:

[postfix]
enabled  = true
port     = smtp,465,submission

Pigeon loft:

[dovecot]
enabled = true
port    = pop3,pop3s,imap,imaps,submission,465,sieve

Suffix SASL

[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s

In the above configuration, the following attributes are used:

activated -Can be set to real Either false Enable/disable the filter.
port -The port on which the service is running.If the port used is the default port, you can use the name of the service, otherwise, you need to specify the port number explicitly
filter -The name of the filter file located at /etc/fail2ban/filter.d/ The directory containing the fileregex information used to parse the log.
Log path -The path of the service log

Use Fail2ban client

Fail2ban-client is a command line tool used to run Fail2ban from the shell.

The general usage is fail2ban-client <COMMAND>

The following is a list of Fail2ban-client commands:

start: Used to start fail2ban server and prison
reload: Used to reload the Fail2ban configuration
stop: Stop the server
status: Used to check the status of the server and enable jail
status JAIL ：Display prison status and currently banned IP

example:

Fail2ban client status

$ sudo fail2ban-client status
Status
|- Number of jail:	6
`- Jail list:	dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth

2. Fail2ban client status sshd

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	22
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	4
   `- Banned IP list:

3. Banned IP:

To delete an IP from the prison, you can delete it with the following command:

$ sudo fail2ban-client set <jailname> unbanip <IP>

example:

$ sudo fail2ban-client set sshd unbanip 192.168.100.12

In the above example, we removed the IP 192.168.100.12 from the sshd jail.

in conclusion

We have read the guide on how to set up Fail2ban on CentOS/RHEL 8. This tool is useful for intrusion detection and prevention of attacks (such as brute force cracking on RHEL/CentOS 8 systems).

View other related articles on our website;

Use infected monkeys to automate penetration testing operations

Faraday-penetration testing IDE and vulnerability management platform