fail2ban

Fail2Ban : How to protect Linux services

fail2ban is a software that allows you to automatically ban an ip addresses which have tried to connect a certain number of times to a service.

Any service connected to the Internet can be attacked. If your service requires authentication like SSH, users unauthorized and bots will try to access it and therefore your system by trying repeatedly to authenticate using different credentials.

Fortunately, services like fail2ban have been created to block these attacks.

Installing fail2ban :

On CentOS :

fail2ban is not available by default on CentOS repositories :

[root@server ~]# dnf install fail2ban
CentOS-7 - Base 894 kB/s | 10 MB 00:11
CentOS-7 - Updates 1.1 MB/s | 13 MB 00:12
CentOS-7 - Extras 980 kB/s | 310 kB 00:00
No match for argument: fail2ban
Error: Unable to find a match: fail2ban

You must first install the repository via yum or dnf :

[root@server ~]# yum install epel-release
.
.
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11

You can now install the package :

[root@server ~]# yum install fail2ban
.
.
.
Running transaction
Installing : systemd-python-219-78.el7_9.3.x86_64 1/5
Installing : fail2ban-server-0.11.1-10.el7.noarch 2/5
Installing : fail2ban-sendmail-0.11.1-10.el7.noarch 3/5
Installing : fail2ban-firewalld-0.11.1-10.el7.noarch 4/5
Installing : fail2ban-0.11.1-10.el7.noarch 5/5
Verifying : fail2ban-0.11.1-10.el7.noarch 1/5
Verifying : fail2ban-sendmail-0.11.1-10.el7.noarch 2/5
Verifying : fail2ban-server-0.11.1-10.el7.noarch 3/5
Verifying : systemd-python-219-78.el7_9.3.x86_64 4/5
Verifying : fail2ban-firewalld-0.11.1-10.el7.noarch 5/5
Installed:
fail2ban.noarch 0:0.11.1-10.el7
Dependency Installed:
fail2ban-firewalld.noarch 0:0.11.1-10.el7 fail2ban-sendmail.noarch 0:0.11.1-10.el7 fail2ban-server.noarch 0:0.11.1-10.el7
systemd-python.x86_64 0:219-78.el7_9.3
Complete!

On Ubuntu :

[root@server ~]# apt install fail2ban

Now start the service and configure it to be started by default at system startup (Ubuntu and CentOS) :

[root@server ~]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:fail2ban(1)
[root@server ~]# systemctl start fail2ban.service
[root@server ~]# systemctl enable fail2ban.service
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.
[root@server ~]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-09-12 07:35:27 EDT; 14s ago
Docs: man:fail2ban(1)
Main PID: 1988 (f2b/server)
CGroup: /system.slice/fail2ban.service
└─1988 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start
Sep 12 07:35:27 server systemd[1]: Starting Fail2Ban Service…
Sep 12 07:35:27 server systemd[1]: Started Fail2Ban Service.
Sep 12 07:35:27 server fail2ban-server[1988]: Server ready

We must now configure fail2ban.

Configuring Fail2ban :

The default configuration file for fail2ban is /etc/fail2ban/jail.conf, however the configuration should not be done in this file, because it can be modified in case of an upgrades.

Instead, we will copy this file and make the changes.

Copy this file and name it jail.local :

[root@server]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[root@server]# ll /etc/fail2ban/jail.local
-rw-r--r--. 1 root root 25740 Sep 12 08:10 /etc/fail2ban/jail.local

Once the file is copied, you can make all your changes in the new jail.local file.

Many services that need protection are already in the file, each is located in its own section, configured and disabled.

Configuring Default section :

Edit the jail.local file :

[root@server]# vi /etc/fail2ban/jail.conf

The DEFAULT section covers the basic rules that Fail2Ban will apply to all services enabled for Fail2Ban that are not overridden in the service’s own section.

ignoreip :

Here you must put the IP addresses you want whitelisted, separate the addresses with a space. You can put either ip address or network ip address.

#"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
#will not ban a host which matches an address in this list. Several addresses
#can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1 192.168.50.0/24 196.125.3.55

banaction = iptables-multiport

That’s allows us to make sure that we are using iptables for the firewall configuration :

#iptables-multiport, shorewall, etc) It is used to define
#action_* variables. Can be overridden globally or per
#section within jail.local file
banaction = iptables-multiport

bantime :

The number of seconds that a host will be blocked from the server. This is particularly useful in the case of bots.

The default is 10 minutes you can increase it to an hour (or more) if you wish.

#"bantime" is the number of seconds that a host is banned.
bantime = 10m

This is the amount of time that a host has to connect. The default is 10 minutes, this means that if a host tries and fails to connect more than the value set by maxretry within 10 minutes, it will be banned.

#A host is banned if it has generated "maxretry" during the last "findtime"
seconds.
findtime = 10m

Maxretry :

This is the number of incorrect login attempts that a host may have before being banned.

#"maxretry" is the number of failures before a host get banned.
maxretry = 5

Jail file for a specific service ( like SSH ):

It’s a good practice to create separate jail files for each services that we want to protect with Fail2Ban.

We’ll take the ssh service as an example, so let’s create a jail file for this service :

[root@server]# vim /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 600
  • enabled : Indicates that the protection of the ssh service is enabled (false to disable it).
  • port : Indicates which Fail2Ban port should monitor, 22 is the default port, if you use another port you must indicate it.
  • action : describes the steps that Fail2Ban takes to deny a matching IP address. Each action refers to a file in the /etc/fail2ban/action.d directory. The default action is iptables-multiport:
[root@server]# ll /etc/fail2ban/action.d/iptables-multiport.conf
-rw-r--r--. 1 root root 1508 Jan 11 2020 /etc/fail2ban/action.d/iptables-multiport.conf
  • logpath : Specifies the location of the log file.
  • maxretry & bantime : I have already explained it before.
[root@server fail2ban]# systemctl restart fail2ban

To display the list of jails that you have created, use the following command :

[root@server fail2ban]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

Unblock Manually an IP address with fail2ban :

If for some reason you want to unblock an IP address that fail2ban has blocked type the following command :

[root@server jail.d]# fail2ban-client set JAIL 192.168.2.5

And that’s it, you should now be able to configure some basic configuration for your services. Fail2ban is very easy to configure and it is a good solution to protect any type of service using authentication.