Fail2Ban is an intrusion prevention software framework that protects servers from brute-force attacks. Fail2Ban works by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for the selected services and running scripts based on them. Most commonly used to block selected IP addresses that may belong to hosts that are trying to compromise the security of the system.
Add EPEL repository to the system, update and install software
[[email protected]]# yum install epel-release [[email protected]]# yum update [[email protected]]# yum install fail2ban fail2ban-systemd
If you do not have SELinux disabled, then update the policies
[[email protected]]# yum update -y selinux-policy*
Fail2Ban stores its settings in a file /etc/fail2ban/jail.conf, and when updating overwrites this file, so copy the jail.conf file under the name jail.local
[[email protected]]# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
By default, the configuration file contains the following lines:
[DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
- ignoreip – used to set a list of IP addresses that will not be banned. The list of IP addresses must be separated by a space.
- bantime – blocking time, in seconds.
- maxretry – number of attempts before blocking.
- findtime – the time during which the number of attempts before the ban is calculated (maxretry).
Those. the default config states that the user will be banned for 10 minutes if 5 unsuccessful attempts are made within 10 minutes.
Securing SSH connections
Let’s create a new file sshd.local and add the following lines to it
[[email protected]]# nano /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true port = ssh action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
- enable = true – ssh check is active.
- action is used to get the IP address that needs to be blocked using the filter available in /etc/fail2ban/action.d/firewallcmd-ipset.conf.
- logpath is the path where the log file is stored. This log file is scanned by Fail2Ban.
- maxretry is the limit for failed logins.
- bantime – blocking time (24 hours).
Add the Fail2Ban service to startup and start it
[[email protected]]# systemctl enable fail2ban [[email protected]]# systemctl start fail2ban
To check the status, run the command
[[email protected]]# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
To unblock the IP address, run the command
[[email protected]]# fail2ban-client set sshd unbanip IPADDRESS