fail2ban is a software that allows you to automatically ban an ip addresses which have tried to connect a certain number of times to a service.
Any service connected to the Internet can be attacked. If your service requires authentication like SSH, users unauthorized and bots will try to access it and therefore your system by trying repeatedly to authenticate using different credentials.
Fortunately, services like fail2ban have been created to block these attacks.
Installing fail2ban :
On CentOS :
fail2ban is not available by default on CentOS repositories :
[root@server ~]# dnf install fail2ban CentOS-7 - Base 894 kB/s | 10 MB 00:11 CentOS-7 - Updates 1.1 MB/s | 13 MB 00:12 CentOS-7 - Extras 980 kB/s | 310 kB 00:00 No match for argument: fail2ban Error: Unable to find a match: fail2ban
You must first install the repository via yum or dnf :
[root@server ~]# yum install epel-release . . Is this ok [y/d/N]: y Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11
You can now install the package :
[root@server ~]# yum install fail2ban . . . Running transaction Installing : systemd-python-219-78.el7_9.3.x86_64 1/5 Installing : fail2ban-server-0.11.1-10.el7.noarch 2/5 Installing : fail2ban-sendmail-0.11.1-10.el7.noarch 3/5 Installing : fail2ban-firewalld-0.11.1-10.el7.noarch 4/5 Installing : fail2ban-0.11.1-10.el7.noarch 5/5 Verifying : fail2ban-0.11.1-10.el7.noarch 1/5 Verifying : fail2ban-sendmail-0.11.1-10.el7.noarch 2/5 Verifying : fail2ban-server-0.11.1-10.el7.noarch 3/5 Verifying : systemd-python-219-78.el7_9.3.x86_64 4/5 Verifying : fail2ban-firewalld-0.11.1-10.el7.noarch 5/5 Installed: fail2ban.noarch 0:0.11.1-10.el7 Dependency Installed: fail2ban-firewalld.noarch 0:0.11.1-10.el7 fail2ban-sendmail.noarch 0:0.11.1-10.el7 fail2ban-server.noarch 0:0.11.1-10.el7 systemd-python.x86_64 0:219-78.el7_9.3 Complete!
On Ubuntu :
[root@server ~]# apt install fail2ban
Now start the service and configure it to be started by default at system startup (Ubuntu and CentOS) :
[root@server ~]# systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:fail2ban(1) [root@server ~]# systemctl start fail2ban.service [root@server ~]# systemctl enable fail2ban.service Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service. [root@server ~]# systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2021-09-12 07:35:27 EDT; 14s ago Docs: man:fail2ban(1) Main PID: 1988 (f2b/server) CGroup: /system.slice/fail2ban.service └─1988 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start Sep 12 07:35:27 server systemd: Starting Fail2Ban Service… Sep 12 07:35:27 server systemd: Started Fail2Ban Service. Sep 12 07:35:27 server fail2ban-server: Server ready
We must now configure fail2ban.
Configuring Fail2ban :
The default configuration file for fail2ban is /etc/fail2ban/jail.conf, however the configuration should not be done in this file, because it can be modified in case of an upgrades.
Instead, we will copy this file and make the changes.
Copy this file and name it jail.local :
[root@server]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local [root@server]# ll /etc/fail2ban/jail.local -rw-r--r--. 1 root root 25740 Sep 12 08:10 /etc/fail2ban/jail.local
Once the file is copied, you can make all your changes in the new jail.local file.
Many services that need protection are already in the file, each is located in its own section, configured and disabled.
Configuring Default section :
Edit the jail.local file :
[root@server]# vi /etc/fail2ban/jail.conf
The DEFAULT section covers the basic rules that Fail2Ban will apply to all services enabled for Fail2Ban that are not overridden in the service’s own section.
Here you must put the IP addresses you want whitelisted, separate the addresses with a space. You can put either ip address or network ip address.
#"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban #will not ban a host which matches an address in this list. Several addresses #can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1 192.168.50.0/24 126.96.36.199
banaction = iptables-multiport
That’s allows us to make sure that we are using iptables for the firewall configuration :
#iptables-multiport, shorewall, etc) It is used to define #action_* variables. Can be overridden globally or per #section within jail.local file banaction = iptables-multiport
The number of seconds that a host will be blocked from the server. This is particularly useful in the case of bots.
The default is 10 minutes you can increase it to an hour (or more) if you wish.
#"bantime" is the number of seconds that a host is banned. bantime = 10m
This is the amount of time that a host has to connect. The default is 10 minutes, this means that if a host tries and fails to connect more than the value set by maxretry within 10 minutes, it will be banned.
#A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 10m
This is the number of incorrect login attempts that a host may have before being banned.
#"maxretry" is the number of failures before a host get banned. maxretry = 5
Jail file for a specific service ( like SSH ):
It’s a good practice to create separate jail files for each services that we want to protect with Fail2Ban.
We’ll take the ssh service as an example, so let’s create a jail file for this service :
[root@server]# vim /etc/fail2ban/jail.d/sshd.local
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 600
- enabled : Indicates that the protection of the ssh service is enabled (false to disable it).
- port : Indicates which Fail2Ban port should monitor, 22 is the default port, if you use another port you must indicate it.
- action : describes the steps that Fail2Ban takes to deny a matching IP address. Each action refers to a file in the /etc/fail2ban/action.d directory. The default action is iptables-multiport:
[root@server]# ll /etc/fail2ban/action.d/iptables-multiport.conf -rw-r--r--. 1 root root 1508 Jan 11 2020 /etc/fail2ban/action.d/iptables-multiport.conf
- logpath : Specifies the location of the log file.
- maxretry & bantime : I have already explained it before.
[root@server fail2ban]# systemctl restart fail2ban
To display the list of jails that you have created, use the following command :
[root@server fail2ban]# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
Unblock Manually an IP address with fail2ban :
If for some reason you want to unblock an IP address that fail2ban has blocked type the following command :
[root@server jail.d]# fail2ban-client set JAIL 192.168.2.5
And that’s it, you should now be able to configure some basic configuration for your services. Fail2ban is very easy to configure and it is a good solution to protect any type of service using authentication.