In this article, I will show you how to install and configure Fail2ban service on a CentOS 7 server. In most cases, you will be connecting to your CentOS server remotely using SSH. When you open your server to the public internet access, chances of it getting brute force attack is high. In this case, Fail2ban can protect and mitigate the risk of your server from brute force attack via SSH service.
In CentOS, you can find the SSH login authentication events logs in /var/www/secure log file. You may find failed login attempts in this log file. Basically, Fail2ban will scan through the /var/log/secure to find all SSH failed login attempts and then alter iptables firewall configuration to ban the source IP address of the attack.
Fail2ban comes with the parameter for you to predefine the number of failed authentication attempts. You can also define the ban duration to block the source IP address from further attempt to login. For instance, you can configure Fail2ban to block an IP address for 24 hours when 3 failed login attempts were detected.
Without further ado, let’s move on to the installation and configuration. In this article, I am showing you the installation and configuration on CentOS server.
How to install Fail2ban?
Fail2ban is not available in CentOS by default and you will have to install EPEL repository first.
Login as root user first and run the following command to install EPEL repository.
$ yum install epel-release
Now, run below command to install Fail2ban.
$ yum install fail2ban fail2ban-systemd
Once installed, execute the following command lines to enable and start Fail2Ban service.
$ systemctl enable fail2ban
$ systemctl start fail2ban
How to configure Fail2ban?
The next step is to configure Fail2ban. The default configuration file is located at /etc/fail2ban/jail.conf. However, you don’t change the configuration in this file because system would change this file during package update. Package update will change all of you configuration to the default values.
A better way is to duplicate the original configuration file and change the configuration in the duplicated file. You can use the following command to duplicate the configuration file. Basically, this command would copy the jail.conf and rename the file to jail.local. Any values define in jail.local will override those in jail.conf.
$ cp -p /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, let’s explore some important default settings.
This parameter allows you to white list your IP address so that it will not be locked out. You can also add multiple IP address in this parameter by separate each IP address with a space.
This parameter is for you to set the action to ban an IP address. By default, it uses iptables for firewall configuration.
It is the duration in seconds an IP address would be banned when they have exited the maximum of failed login attempts allowed. By default, this is set to 600 seconds, or 10 minutes.
This is the place you set the window of time to determine the number of failed authentication attempts.
Here, you set the number of maximum authentication retry within the time window you set in findtime.
Additionally, you can also create configuration file for individual services in /etc/fail2ban/jail.d/ folder. Any configuration setting you created here would override jail.conf and jail.local. I would recommend you to do so as it is more organized and easy to manage.
So, let’s create a configuration file for SSH in /etc/fail2ban/jail.d/ using vi editor.
$ vi /etc/fail2ban/jail.d/sshd.local
Now, add the following configuration lines into the file.
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 600
Let me do a quick explanation of the above setting. [sshd] shows that this is a section for SSH service. You can turn on SSH protection by setting a “true” value. Likewise, set a “false” value to turn off the protection.
The port parameter tells Fail2ban which port number to monitor. If you are using the default SSH port 22, then just leave the value as ssh. Otherwise, type the port number you are using for SSH services.
The action parameter tells Fail2ban the steps to ban a matching IP address. The default ban action is “iptables-multiport”. You can find all the available ban actions in /etc/fail2ban/action.d/ .
logpath refer to the location of the log that Fail2ban will monitor for malicious SSH access attempts.
The maxretry parameter sets the number of tries a client has to authenticate via SSH within a window of time defined by findtime, before being banned.
Other Useful Commands
$ systemctl restart fail2ban
Check Fail2ban Status for SSH
$ fail2ban-client status sshd
Manual Ban and Unban IP Address
$ fail2ban-client set JAIL banip [IPADDRESS]
$ fail2ban-client set JAIL unbanip [IPADDRESS]
Fail2ban is an intrusion prevention tool that protects your server from malicious threat like brute-force attack. It is written in Python programming language and running in unix based environment.
Although Fail2ban is a good tool to mitigate your risk from brute-force attack but it does not prevent you from all malicious threats. Being security conscious will help avoid situations that can expose you to cyber attacks.
To Your Success,
Kwah Choon Hiong