Install and Configure Fail2ban on CentOS 8

Servers  exposed to the internet are at very high risk of malware attacks. There are a number of measures you can take to ensure you are protected from unauthorized users and malicious software. One of them is to use Fail2ban.

Fail2ban is an intrusion prevention tool that protects servers from attacks on the internet. It protects against types of brute-force attacks. It does this by monitoring logs of applications like OpenSSH daemon, Apache, MySQL, mail logs. This tool looks at log files and analyses where connection attempts are coming from, how many times a user attempts to log in, where they try to log in from, and how frequently they try to log in. This guide  takes you through how to install and configure Fail2ban on CentOS 8.

This tool is very helpful in stopping brute-force attacks on your server. For example in the case where  a user repeatedly tries to gain remote access into your server using different user and password combinations.

Step 1: Install EPEL Repository

To start off, Install the EPEL  package as follows.

For CentOS 8:

$ sudo dnf install -y epel-release

For RHEL 8:

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y

Install Fail2ban on CentOS

The Fail2ban package is available in the default CentOS 8 repositories. To install it, run the command:

$ sudo dnf install fail2ban

Install and Configure Fail2ban on CentOS

Configure Fail2Ban

Fail2ban keeps all the important configuration files under /etc/fail2ban directory. The default Fail2ban installation comes with two main configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf. The /etc/fail2ban/jail.conf is the main configuration file.

These files should not be modified as they may be overwritten when the package is updated. We, therefore, need to create a copy of this file as jail.local.

The jail.local file overrides the settings in the jail.conf file. We will create a .local configuration file from the default jail.conf file:. 

In this article, we are going to create a jail file that will secure SSH connections. Run the following command to create jail.local file

$ sudo vim /etc/fail2ban/jail.local

Here’s the sample configuration file that we will copy into the jai.local file.

 [DEFAULT]
 ignoreip = 192.168.0.103
 bantime  = 86400
 findtime  = 300
 maxretry = 3
 banaction = iptables-multiport
 backend = systemd
 [sshd]
 enabled = true 

In this sample configuration, when an IP address records 3 failed login  attempts within the last 5 minutes, then it will be banned for 24 hours with the exception of a host with IP 192.168.0.103

The parameters in our sample configuration are discussed below

  • ignoreip –  it specifies a list of IP addresses, DNS host or CIDR masks. That would not be banned. You can define several addresses using space (and/or comma) separator.
  • bantime – It specifies the duration of time  in seconds that a remote host is banned
  • maxretry – This specifies the number of failed login attempts before the host is banned. The default value for the maxretry value is 5.
  • findtime – This is the time duration between the number of failures before a ban is set. 
  • banaction – The banning action.
  • backend – Specifies the system used to get files modification

Save and exit the configuration file.

Start Fail2ban

Next, start and enable the Fail2ban service:

$ sudo systemctl start fail2ban
$ sudo systemctl enable --now fail2ban
Install and Configure Fail2ban on CentOS

To check the status of the fail2ban service:

$ sudo systemctl status fail2ban
Check if fail2ban is running

The output shows Fail2Ban running on your CentOS server.

After the configuration, let’s check for any banned IP addresses. The fail2ban-client is used for this purpose. In this example we get the status of ssh jail. Run the command below:

$ sudo fail2ban-client status sshd
Check fail2ban status

In the output above, there are no banned IP addresses because we have not attempted to log in remotely to the server yet.

We are going to attempt to log in from putty SSH client from a Windows PC with an IP different from the one specified in jail.local configuration file.In this example, I have tried SSH  using putty with a different IP address from the one specified in the jail.local file. After three wrong attempts, Fail2ban blocked that IP.

Now when we check the status of ssh jail again, we can see that an  IP has been banned.

install and configure fail2ban

To unban the IP address run the following command:

$ sudo fail2ban-client unban 10.0.2.2

For more information about fail2ban policies visit the man pages with the command.

$ man jail.conf

fail2ban configuration file

Conclusion

In this guide  we explained how to install and configure Fail2Ban on CentOS 8 . For more information about  Fail2Ban, visit the  Fail2ban documentation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x