Install and configure Fail2ban on CentOS 8 | RHEL 8
You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose
In this guide, we will discuss how to install and configure Fail2ban on Centos 8. RHEL8. Fail2ban is an open source intrusion detection and defense tool that can scan for malicious IP addresses in the access log. The malicious IP addresses show signs of multiple failed password login attempts. Then, the tool bans IP by updating firewall rules to deny IP addresses.
Fail2ban can be used to protect different services on Linux systems, including sshd, wordpress access, postfix, etc.
Install Fail2ban on CentOS 8 | RHEL 8
You must install EPEL repository on CentOS/RHEL 8 system to get Fail2ban package.
sudo dnf -y install epel-release
Install the Fail2ban package:
sudo dnf -y install fail2ban
Start and enable Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Configure Fail2ban on CentOS 8 | RHEL 8
After successful installation, the next step is to configure fail2ban.
The Fail2ban configuration file resides in /etc/fail2ban/
table of Contents.
The main configuration file is /etc/fail2ban/jail.conf
.The filter is stored in /etc/fail2ban/filter.d/
table of Contents.
Not recommended right jail.conf
File because the configuration will be overwritten by the file in the following file *.local.
Therefore, the best practice is to create a separate file, Local prison Will contain our configuration.
Let us in /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
Add the following parameters:
[DEFAULT]
bantime = 21600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
banaction_allports = iptables-allports
A brief description of the above parameters:
- Ban time – IP banned time (in seconds)
- Biggest attempt -The number of retries before banning the host
- Find time -Fail2ban prohibits host generation”Biggest attempt” At the end”Find time“second.
- ban -Type of injunction action to be taken
- ignoreip –You can specify the IP addresses that fail2ban will ignore
- rear end -Used to modify the back end of the log file.
- Banaction_allports -Fail2ban blocks remote IP on each port
Configure Jails to protect SSH, Postfix and Dovecot
In this section, we will study how to configure Fail2ban prison for SSH, Postfix and dovecot.
inside /etc/fail2ban/jail.local
File, add parameters for the service you want to enable.
For SSH:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
For Postfix:
[postfix]
enabled = true
port = smtp,465,submission
Pigeon loft:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
Suffix SASL
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
In the above configuration, the following attributes are used:
- activated -Can be set to real Either false Enable/disable the filter.
- port -The port on which the service is running.If the port used is the default port, you can use the name of the service, otherwise, you need to specify the port number explicitly
- filter -The name of the filter file located at /etc/fail2ban/filter.d/ The directory containing the fileregex information used to parse the log.
- Log path -The path of the service log
Use Fail2ban client
Fail2ban-client is a command line tool used to run Fail2ban from the shell.
The general usage is fail2ban-client <COMMAND>
The following is a list of Fail2ban-client commands:
start
: Used to start fail2ban server and prisonreload
: Used to reload the Fail2ban configurationstop
: Stop the serverstatus
: Used to check the status of the server and enable jailstatus JAIL
:Display prison status and currently banned IP
example:
- Fail2ban client status
$ sudo fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth
2. Fail2ban client status sshd
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 22
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 4
`- Banned IP list:
3. Banned IP:
To delete an IP from the prison, you can delete it with the following command:
$ sudo fail2ban-client set <jailname> unbanip <IP>
example:
$ sudo fail2ban-client set sshd unbanip 192.168.100.12
In the above example, we removed the IP 192.168.100.12 from the sshd jail.
in conclusion
We have read the guide on how to set up Fail2ban on CentOS/RHEL 8. This tool is useful for intrusion detection and prevention of attacks (such as brute force cracking on RHEL/CentOS 8 systems).
View other related articles on our website;
Use infected monkeys to automate penetration testing operations
Faraday-penetration testing IDE and vulnerability management platform
You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose