Introduction
Fail2ban is a free, open-source intrusion prevention framework developed in python. Fail2ban automatically protects your server from repetitive failed login attempts or brute-force attacks. It monitors the log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure, and bans the IP address after many failed login attempts.
Fail2ban adds custom iptables rules to ban access to IP addresses identified as malicious by the script.
It is important to note that disabling SSH root access is one of the most important security measures you can perform on your server. Most attackers try to gain SSH access with the root login username, which is the default SSH account enabled by default on many Linux distributions
In this tutorial, we will show you how to install and configure Fail2ban under CentOS. This can also apply to Fedora or RHEL.
Install Fail2ban
By default, Fail2ban is not available under Linux systems, therefore, we need to download the EPEL repository:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
A similar output like this should confirm the installation:
Retrieving http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm warning: /var/tmp/rpm-tmp.7o5d3O: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Preparing... ########################################### [100%] 1:epel-release ########################################### [100%]
Now that we have downloaded the repository, we can proceed and install Fail2ban with the yum command:
yum install fail2ban -y
You get a confirmation ouput like this:
Loaded plugins: fastestmirror base | 3.7 kB 00:00 base/primary_db | 4.4 MB 00:01 epel/metalink | 14 kB 00:00 epel | 4.4 kB 00:00 epel/primary_db | 6.0 MB 00:01 extras | 3.4 kB 00:00 extras/primary_db | 19 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 2.6 MB 00:00 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.11-2.el6 will be installed --> Processing Dependency: python-inotify for package: fail2ban-0.8.11-2.el6.noarch --> Processing Dependency: gamin-python for package: fail2ban-0.8.11-2.el6.noarch --> Processing Dependency: ed for package: fail2ban-0.8.11-2.el6.noarch --> Running transaction check ---> Package ed.x86_64 0:1.1-3.3.el6 will be installed ---> Package gamin-python.x86_64 0:0.1.10-9.el6 will be installed ---> Package python-inotify.noarch 0:0.9.1-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved =============================================================================================== Package Arch Version Repository Size =============================================================================================== Installing: fail2ban noarch 0.8.11-2.el6 epel 221 k Installing for dependencies: ed x86_64 1.1-3.3.el6 base 72 k gamin-python x86_64 0.1.10-9.el6 base 33 k python-inotify noarch 0.9.1-1.el6 epel 50 k Transaction Summary =============================================================================================== Install 4 Package(s) Total download size: 375 k Installed size: 1.2 M Downloading Packages: (1/4): ed-1.1-3.3.el6.x86_64.rpm | 72 kB 00:00 (2/4): fail2ban-0.8.11-2.el6.noarch.rpm | 221 kB 00:00 (3/4): gamin-python-0.1.10-9.el6.x86_64.rpm | 33 kB 00:00 (4/4): python-inotify-0.9.1-1.el6.noarch.rpm | 50 kB 00:00 ----------------------------------------------------------------------------------------------- Total 660 kB/s | 375 kB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Importing GPG key 0x0608B895: Userid : EPEL (6) <[email protected]> Package: epel-release-6-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <[email protected]> Package: centos-release-6-4.el6.centos.10.x86_64 (@anaconda-CentOS-201303020151.x86_64/6.4) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : ed-1.1-3.3.el6.x86_64 1/4 Installing : gamin-python-0.1.10-9.el6.x86_64 2/4 Installing : python-inotify-0.9.1-1.el6.noarch 3/4 Installing : fail2ban-0.8.11-2.el6.noarch 4/4 Verifying : fail2ban-0.8.11-2.el6.noarch 1/4 Verifying : python-inotify-0.9.1-1.el6.noarch 2/4 Verifying : gamin-python-0.1.10-9.el6.x86_64 3/4 Verifying : ed-1.1-3.3.el6.x86_64 4/4 Installed: fail2ban.noarch 0:0.8.11-2.el6 Dependency Installed: ed.x86_64 0:1.1-3.3.el6 gamin-python.x86_64 0:0.1.10-9.el6 python-inotify.noarch 0:0.9.1-1.el6 Complete!
Configure Defaults Section in Fail2ban
The default configuration file of Fail2ban is located at /etc/fail2ban/jail.conf. You need to change some settings to customize the script. First make a copy of the original file and then we open it with vi:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local vi /etc/fail2ban/jail.local
You will look for the DEFAULT section:
# [DEFAULT] # bantime = 3600 # # [ssh-iptables] # enabled = true # Comments: use '#' for comment lines and ';' (following a space) for inline comments # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
You need to write your own IP address on the ignoreip line. These addresses could be your home and office computer addresses, if your are provided with static IP addressing from your ISP. Put in multiple addresses separating them with a space. This will allow access from this IP addresses and never ban them from accessing the server.
Now, bantime is the number of seconds that the host will be banned from accessing the server. The default value is 600 seconds. You can set this as you prefer.
The findtime value is the amount of time that a host has to login to the server. It's default value is set to 10 minutes. If a hosts attempts failed the maxretry number of times, it will be banned.
And the maxretry is the number of failed login attempts before a host is banned for the number of seconds in the bantime value.
Configure ssh-iptables section in jail.local
This section is turned on by default, there is no need to make any changes. However, if you would like to go further in the customization, there are some values you can modify.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
Here we summarize the details about each value on this ssh-iptables section:
- -enabled: turns SSH protection on or off by changing the value from "true" to "false".
- -filter: by default it is set to sshd and refers to the config file that contains the rules that Fail2ban uses to find matches. The file is /etc/fail2ban/action.d/iptables.conf. If your server have mail setup, you can add an email address, where fail2ban sends you email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
- -logpath: it refers to the location of the log file that Fail2ban will track.
- -maxretry: it refers to the number of times the host will be banned after a match is found. It refers to the same definition of maxretry as discussed before, but in this case you can use it when specifying different values for different services.
If you make any changes to the jail.local file, make sure to save it and exit.
Restart Fail2ban service
Fail2ban needs to be restarted after making any changes to its configuration file in order for the changes to take effect.
service fail2ban restart
Start Fail2ban at boot time:
chkconfig fail2ban on
You can check the iptables rules being added by Fail2ban by issuing the following command:
iptables -L
How to see failed SSH login attempts?
You can see all SSH failed login attempts by issuing the following command:
cat /var/log/secure | grep 'Failed password' | sort | uniq -c
Remove IP address from Fail2ban
If you need to remove an IP address banned by fail2ban, type the following command:
iptables -D fail2ban-ssh 1
That's it. Enjoy the added protection of Fail2ban on your server!
or
