Fail2ban is the latest security tool to protect your server from brute force attack.It automatically protect the server from hackers.It works by monitoring through log files and reacting to offending actions like repeated failed login attempts. The process consists of adding a new rule in a firewall chain and sending an e-mail notification. You can easily install and configure fail2ban by using this simple document.
Fail2ban is not a default package of CentOS.So You need to download corresponding EPEL repository
For CentOS 5
#rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
For CentOS 6
#rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Follow the steps after downloaded corresponding EPEL
#yum install fail2ban
Fail2ban needs some dependencies. It will automatically downloads from repository.
Copy Configuration file
Default configuration file of fail2ban is located at /etc/fail2ban/jail.conf
All configurations of fail2ban is to be done in a local file . you need to copy /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After copying the file, You can make all the configuration in that local file.
Configurations In the default jail.local
You can simply activate each service by change "enabled = false to enabled = true" .you need to know some terms used in the configuration file."ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space separator ."bantime" is the number of seconds that a host is banned.A host is banned if it has generated "maxretry" during the last "findtime" seconds."maxretry" is the number of failures before a host get banned.
Configure fail2ban for SSH Protection
sshd is the filter set by fail2ban for this particular service.sshd is the shortened version of the file extension. sshd refers to the file /etc/fail2ban/filter.d/sshd.conf .Action is the steps that take fail2ban to ban the matching IP address. Action will refers to a file in the /etc/fail2ban/action.d directory .Default action entry is action = iptables[name=SSH, port=ssh, protocol=tcp] .If you are using a non-standard port , You can change the port number with in the bracket to change .eg : action = iptables[name=SSH, port=1000, protocol=tcp] .You can also change the protocol from TCP to UDP. If you have a mailservice setup on your server then Fail2ban can email you when it ban an IP .sendmail-whois is the action for sending emails .default action of sendmail-whois is
sendmail-whois[name=SSH, dest=root, [email protected]] .You can setup your destination email address [email protected] .logpath is the location where fail2ban will scan logpath = /var/log/secure .You can set maxretry for each service.
After editing the configuration file .You need to restart the fail2ban.
#service fail2ban restart
You can see the fail2ban rules in effect with the iptable.