Linux Brute force Protection - Scan Logs and Detects patterns using fail2ban

February 7, 2014 | By
| Reply More

Fail2ban is the latest security tool to protect your server from brute force attack.It automatically protect the server from hackers.It works by monitoring through log files and reacting to offending actions like repeated failed login attempts. The process consists of adding a new rule in a firewall chain and sending an e-mail notification.  You can easily install and configure fail2ban by using this simple document.

Install Fail2ban

Fail2ban is not a default package of CentOS.So You need to download corresponding EPEL repository

For CentOS 5

#rpm -Uvh

For CentOS 6

#rpm -Uvh

Follow the steps after downloaded corresponding EPEL

#yum install fail2ban

yum install fail2ban

Fail2ban needs some dependencies. It will automatically downloads from repository.


Copy Configuration file

Default configuration file of fail2ban is located at /etc/fail2ban/jail.conf
All configurations of fail2ban is to be done in a local file . you need to copy /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

copy jail.conf into jail.local

After copying the file, You can make all the configuration in that local file.

Configurations In the default jail.local

Normally a group of services listed in the configuration file.Each service is configured defaultly and turned off.
default configuration in jail.local

You can simply activate each service by change  "enabled = false to enabled = true" .you need to know some terms used in the configuration file."ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space separator ."bantime" is the number of seconds that a host is banned.A host is banned if it has generated "maxretry" during the last "findtime" seconds."maxretry" is the number of failures before a host get banned.

Configure fail2ban for SSH Protection

SSH is the only enabled service in the jail.local file.
enabled = true
You don’t need to make any changes in this section.
ssh jail configuration

sshd is the filter set by fail2ban for this particular service.sshd is the shortened version of the file extension. sshd refers to the file /etc/fail2ban/filter.d/sshd.conf .Action is the steps that take fail2ban to ban the matching IP address. Action will refers to a file in the /etc/fail2ban/action.d directory .Default action entry is action = iptables[name=SSH, port=ssh, protocol=tcp] .If you are using a non-standard port , You can change the port number with in the bracket to change .eg : action = iptables[name=SSH, port=1000, protocol=tcp] .You can also change the protocol from TCP to UDP. If you have a mailservice setup on your server then Fail2ban can email you when it ban an IP .sendmail-whois is the action for sending emails .default action of sendmail-whois is
sendmail-whois[name=SSH, dest=root,] .You can setup your destination email address .logpath is the location where fail2ban will scan logpath = /var/log/secure .You can set maxretry for each service.

Restart fail2ban

After editing the configuration file .You need to restart the fail2ban.

#service fail2ban restart

service fail2ban restart

You can see the fail2ban rules in effect with the iptable.

#iptable –L

iptables -L


Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.