Fail2ban is the latest security tool to secure your server from brute force attack. It automatically protects the server from hackers. It works by monitoring through log files and reacting to offending actions like repeated failed login attempts. The process consists of adding a new rule in a firewall chain and sending an e-mail notification. You can easily install and configure fail2ban by using this simple document.
Before proceeding with the installation we need to assure that our system meets all the software requirements for compiling and installing the application. And also it should be configured with a Static IP address. On the first step, update your system repositories and software packages by issuing the below commands.
To install Fail2Ban on a CentOS 7 server, we will have to install EPEL (Extra Packages for Enterprise Linux) repository first. EPEL contains additional packages for all CentOS versions. We can run this following command from the root to install this package.
#yum install epel-release -y #yum install fail2ban fail2ban-systemd
Fail2ban needs some dependencies. It will automatically downloads these from repository.
fail2ban-firewalld fail2ban-sendmail fail2ban-server systemd-python
Configuring Settings for Fail2ban
Default configuration file of fail2ban is located at
All configurations of fail2ban is to be done in a local file . You need to copy
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After copying, we will have to configure and customize the software with a
jail.local configuration file. The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe.
Main Configurations in the default jail.local
The file code may consist of many lines of codes which is executed to whitelist or ban one or many IP addresses, set bantime duration, number of failure attempts etc. For activating a service you can set the enabled status from false to true. You need to know some terms used in the configuration file.
ignoreip: It can be an IP address, a CIDR mask or a DNS host. You can whitelist any IP address by adding to this list. Several addresses can be defined using space separator.
bantime: It is the number of seconds that a host is banned.
Findtime: It is the parameter which is used to check if a host must be banned or not. When the host generates maxretry in its last findtime, it is banned.
Maxretry: It is the parameter used to set the limit for the number of retry's by a host, upon exceeding this limit, the host is banned.
In CentOS 7 server, you will need to change the backend option in jail.local from auto to systemd.
# "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = systemd
Configuring fail2ban for SSH Protection
No jails are enabled by default in CentOS 7. To enable SSH protection, you need to uncomment the following lines in
jail.local file as below:
# JAILS # SSH servers # [sshd] enabled = true # To use more aggressive sshd filter (inclusive sshd-ddos failregex): #filter = sshd-aggressive port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
Parameter enabled is set to true, in order to provide protection, to disable protection, we can set it to false. The filter parameter checks the fail2ban sshd configuration file, located in the path
The parameter action is used to derive the IP address which needs to be banned using the filter available from /etc/fail2ban/action.d/firewallcmd-ipset.conf.
Port: This parameter may be changed to a new value such as port=2222 if you moved your port to 2222 instead of default one. There is no need to change this parameter for default port 22.
Logpath: It provides the path where the log file is stored. This log file is scanned by Fail2Ban.
Maxretry: It is used to set the maximum limit for failed login entries.
Bantime: This is used to set the duration of seconds for which a host needs to be banned.
filter: The name of the file located in
/etc/fail2ban/filter.dthat contains the failregex information used to parse log files appropriately.
Enabling Fail2ban Service
You need to make sure to enable and start CentOS firewalld service for running this software.
# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. # systemctl start firewalld # systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2018-01-14 10:57:34 UTC; 9s ago Docs: man:firewalld(1) Main PID: 19493 (firewalld) CGroup: /system.slice/firewalld.service └─19493 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Now we can enable and start our fail2ban service by executing these commands below: #systemctl enable fail2ban #systemctl start fail2ban
For any configuration changes, make sure to restart the service to append those changes with the command below:
#systemctl restart fail2ban
Using Fail2ban client
Fail2ban provides a command
fail2ban-client that can be used to run Fail2ban from the command line. Check out the various command-line options below:
start: starts the server and the jails
reload: reloads the configuration
reload <JAIL>: reloads the jail <JAIL>
stop: stops all jails and terminate the server
status: gets the current status of the server
ping: tests if the server is alive
help: return this output
version: return the server version
For example, to check whether Fail2Ban is running and if SSHd jail is enabled, run:
# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
For more information about this command you can run
Tracking the Failed Login attempts
We can check the SSH log using the following command to check whether there had been any failed attempts to login to sever via ssh port. We can get a list of failed root password attempts from different IP addresses similar to this output.
Jan 14 05:08:58 li226-12 sshd: Failed password for root from 126.96.36.199 port 43374 ssh2 Jan 14 05:09:00 li226-12 sshd: Failed password for root from 188.8.131.52 port 43374 ssh2 Jan 14 05:09:02 li226-12 sshd: Failed password for root from 184.108.40.206 port 43374 ssh2 Jan 14 05:09:04 li226-12 sshd: Failed password for root from 220.127.116.11 port 43374 ssh2 Jan 14 05:09:06 li226-12 sshd: Failed password for root from 18.104.22.168 port 43374 ssh2 Jan 14 05:09:08 li226-12 sshd: Failed password for root from 22.214.171.124 port 43374 ssh2
You can view the list of banned IPs which has reached the maximum number of failure attempts by the command below:
#iptables -L -n
Unbanning an IP address
In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs whitelisting. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. We can run the following command for the same.
#fail2ban-client set sshd unbanip IPADDR
Fail2ban works in the background and continuously scans the log files for unusual login patterns and security breach attempts. This article provides you with a brief introduction to this topic, you can get more information about this in this Fail2ban wiki. I hope this is useful for you. Please post your valuable comments and suggestions on this.