Fail2Ban install tutorial for Linux (AlmaLinux)

Posted on by Mohammed Noufal | Updated:
Reading Time: 8 minutes

In today's ever-changing cybersecurity landscape, protecting your server from potential attackers is critical. AlmaLinux, a stable and community-supported Linux distribution, serves as a solid base for hosting services. However, proactive measures must be made to harden the server's defenses, and Fail2Ban is one such vital tool for this purpose.

Key points

This article will share information related to the following tasks:

  • Installing Fail2Ban and the steps involved.
  • Configuring Fail2Ban and understanding the parameters used.
  • Activating Firewalld support.
  • Securing the SSH service with Fail2Ban.
  • Testing your Fail2Ban configuration.
  • Uninstalling or removing Fail2Ban.

About this Fail2Ban install tutorial

Fail2Ban is a powerful and widely-used security tool designed to enhance the security of Linux systems by protecting against malicious activities such as brute-force attacks and other unauthorized access attempts. In this article, we'll walk you through installing Fail2Ban on an AlmaLinux system, providing an additional layer of defense against potential security threats.

Overview of Linux Fail2Ban setup

You can start the Fail2Ban installation on AlmaLinux by following the below steps.

Prerequisites

Here are the prerequisites to consider before you begin the Fail2Ban install:

  • Confirm that your operating system and version is AlmaLinux OS 8.
  • Ensure you have root or sudo access to install and configure Fail2Ban on AlmaLinux.

Step #1. Ensure Firewalld is running

The Firewalld package is preinstalled by default on AlmaLinux. First, check whether it is running or not. You can check the Firewalld service status using the following command:

sudo systemctl status firewalld

If the Firewalld service isn't running, the following output will be displayed:

]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Now, start the Firewalld service using the following command:

sudo systemctl start firewalld

After that, verify the status of the Firewalld service:

sudo systemctl status firewalld

Here is the output:

]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2023-11-25 02:05:29 UTC; 2s ago
     Docs: man:firewalld(1)
 Main PID: 10017 (firewalld)
    Tasks: 2 (limit: 11852)
   Memory: 35.8M
   CGroup: /system.slice/firewalld.service
           └─10017 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started firewalld - dynamic firewall daemon.

Now, use the following command to list all services configured by Firewalld:

sudo firewall-cmd --list-all

Here is the output:

]# sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Step #2. Update the system

Before you proceed with Fail2Ban installation, ensure your system is up-to-date. To update your package lists and upgrade existing packages, use the following commands:

sudo dnf update

Step #3. Install EPEL

The Fail2Ban package is unavailable by default in the AlmaLinux default repo. As a result, you'll need to install it from the EPEL repository. You can install the EPEL repo using the following command:

sudo dnf install epel-release

Step #4. Install Fail2Ban

After installing the EPEL repo, use the following command to install the Fail2Ban firewall and the fail2ban-firewalld package:

sudo dnf install fail2ban fail2ban-firewalld

Here is the output:

]# sudo dnf install fail2ban fail2ban-firewalld
Extra Packages for Enterprise Linux 8 - x86_64                                                                                                                                                                 27 MB/s |  16 MB     00:00    
Last metadata expiration check: 0:00:06 ago on Sat 25 Nov 2023 02:07:48 AM UTC.
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                          Architecture                               Version                                                                      Repository                                     Size
==============================================================================================================================================================================================================================================
Installing:
 fail2ban                                                         noarch                                     1.0.2-3.el8                                                                  epel                                           21 k
 fail2ban-firewalld                                               noarch                                     1.0.2-3.el8                                                                  epel                                           21 k
Installing dependencies:
 esmtp                                                            x86_64                                     1.2-15.el8                                                                   epel                                           57 k
 fail2ban-selinux                                                 noarch                                     1.0.2-3.el8                                                                  epel                                           41 k
 fail2ban-sendmail                                                noarch                                     1.0.2-3.el8                                                                  epel                                           23 k
 fail2ban-server                                                  noarch                                     1.0.2-3.el8                                                                  epel                                          478 k
 libesmtp                                                         x86_64                                     1.0.6-18.el8                                                                 epel                                           70 k
 liblockfile                                                      x86_64                                     1.14-2.el8                                                                   baseos                                         31 k
 policycoreutils-python-utils                                     noarch                                     2.9-24.el8                                                                   baseos                                        253 k
 python3-pip                                                      noarch                                     9.0.3-23.el8                                                                 appstream                                      19 k
 python3-setuptools                                               noarch                                     39.2.0-7.el8                                                                 baseos                                        162 k
 python36                                                         x86_64                                     3.6.8-38.module_el8.5.0+2569+5c5719bc                                        appstream                                      18 k
Enabling module streams:
 python36                                                                                                    3.6                                                                                                                             

Transaction Summary
==============================================================================================================================================================================================================================================
Install  12 Packages

Total download size: 1.2 M
Installed size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/12): liblockfile-1.14-2.el8.x86_64.rpm                                                                                                                                                                     3.7 MB/s |  31 kB     00:00    
(2/12): python3-pip-9.0.3-23.el8.noarch.rpm                                                                                                                                                                   3.5 MB/s |  19 kB     00:00    
(3/12): python3-setuptools-39.2.0-7.el8.noarch.rpm                                                                                                                                                            8.9 MB/s | 162 kB     00:00    
(4/12): policycoreutils-python-utils-2.9-24.el8.noarch.rpm                                                                                                                                                     11 MB/s | 253 kB     00:00    
(5/12): python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64.rpm                                                                                                                                             1.7 MB/s |  18 kB     00:00    
(6/12): esmtp-1.2-15.el8.x86_64.rpm                                                                                                                                                                           980 kB/s |  57 kB     00:00    
(7/12): fail2ban-selinux-1.0.2-3.el8.noarch.rpm                                                                                                                                                               4.8 MB/s |  41 kB     00:00    
(8/12): fail2ban-sendmail-1.0.2-3.el8.noarch.rpm                                                                                                                                                              2.7 MB/s |  23 kB     00:00    
(9/12): fail2ban-firewalld-1.0.2-3.el8.noarch.rpm                                                                                                                                                             161 kB/s |  21 kB     00:00    
(10/12): fail2ban-1.0.2-3.el8.noarch.rpm                                                                                                                                                                      138 kB/s |  21 kB     00:00    
(11/12): libesmtp-1.0.6-18.el8.x86_64.rpm                                                                                                                                                                     3.0 MB/s |  70 kB     00:00    
(12/12): fail2ban-server-1.0.2-3.el8.noarch.rpm                                                                                                                                                               3.2 MB/s | 478 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                         2.2 MB/s | 1.2 MB     00:00     
Extra Packages for Enterprise Linux 8 - x86_64                                                                                                                                                                1.6 MB/s | 1.6 kB     00:00    


—---
—---

Installed:
  esmtp-1.2-15.el8.x86_64      fail2ban-1.0.2-3.el8.noarch   fail2ban-firewalld-1.0.2-3.el8.noarch          fail2ban-selinux-1.0.2-3.el8.noarch fail2ban-sendmail-1.0.2-3.el8.noarch   fail2ban-server-1.0.2-3.el8.noarch                   
  libesmtp-1.0.6-18.el8.x86_64 liblockfile-1.14-2.el8.x86_64 policycoreutils-python-utils-2.9-24.el8.noarch python3-pip-9.0.3-23.el8.noarch     python3-setuptools-39.2.0-7.el8.noarch python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64

Complete!

Once the Fail2Ban installation is complete, use the following commands to start and enable the Fail2Ban service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

You can use the following command to check the Fail2Ban service's status:

sudo systemctl status fail2ban

Here is the output:

]# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-11-25 02:10:29 UTC; 10s ago
     Docs: man:fail2ban(1)
 Main PID: 11425 (fail2ban-server)
    Tasks: 3 (limit: 11852)
   Memory: 10.8M
   CGroup: /system.slice/fail2ban.service
           └─11425 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting Fail2Ban Service...
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started Fail2Ban Service.
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal fail2ban-server[11425]: Server ready

Step #5. Configuring Fail2Ban

The main configuration file for Fail2Ban is found at /etc/fail2ban/jail.conf. It has a section where settings for Fail2Ban can be defined; we are not changing this file because a package upgrade may replace it.

So, first, create a custom Fail2Ban configuration file, /etc/fail2ban/jail.local. This is the file where customizations to Fail2Ban's settings should occur. Copying from jail.conf to jail.local isn't a backup. Rather, it's an essential step to further customize and configure Fail2Ban according to specific needs.

By default, this /etc/fail2ban/jail.local file does not exist, but Fail2Ban will look for it and read its contents if it exists:

touch /etc/fail2ban/jail.local

Then, open the jail.local file using your favorite text editor:

sudo nano /etc/fail2ban/jail.local

Add the following contents, and save the file:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1h
findtime = 1h
maxretry = 5

5.1. The Ignore IP Address (ignoreip) parameter

Thw ignoreip parameter provides a list of IP addresses that Fail2Ban should ignore. This scenario configures it to ignore loopback addresses (127.0.0.1 for IPv4 and ::1 for IPv6). So, any attempts originating from these IP addresses will not be blocked.

5.2. The Ban Time (bantime) parameter

The bantime parameter specifies the duration an IP address will be banned if it exceeds the maximum number of allowed login attempts (maxretry) within the defined findtime.

5.3. The Find Time (findtime) parameter

The findtime parameter sets the time window during which Fail2Ban monitors for repeated login failures.

5.4. The Max Retry (maxretry) parameter

The maxretry parameter defines the maximum number of login failures allowed within the specified findtime before Fail2Ban takes action.

5.5. Activating Firewalld support

Fail2Ban uses the iptables firewall by default. To activate Firewalld support, use the following command:

sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

5.6. Restarting the Fail2Ban service

Then, restart the Fail2Ban service to apply the changes:

sudo systemctl restart fail2ban

Step #6. Securing the SSH service with Fail2Ban

Fail2Ban does not block any remote hosts by default unless you enable jail configuration for a service that you want to secure. The jail's configuration is located in the /etc/fail2ban/jail.d file and takes control of the jail.local file.

To secure the SSH service, use the following command to generate a jail configuration file for SSH:

sudo nano /etc/fail2ban/jail.d/sshd.local

Then, paste the following lines:

# This configuration will block the remote host for 3 hours after 3 failed SSH login attempts. 
[sshd]
enabled = true
bantime = 3h
maxretry = 3

When you're finished, save and close the file, then restart the SSH service to reflect the changes:

sudo systemctl restart fail2ban

Next, use the fail2ban-client command-line tool to verify the jail configuration status:

sudo fail2ban-client status

Here is the output:

]# sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd

Use the following command to check the SSH jail for any banned IP addresses:

sudo fail2ban-client status sshd

Here is the output:

]# sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd
[root@ip-172-31-27-69 ~]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

If you want to unban the IP address manually, use the following command:

sudo fail2ban-client unban remote-ip-address

Additionally, you can use the get option to verify the sshd jail's maxretry value.

sudo fail2ban-client get sshd maxretry

Here is the output:

]# sudo fail2ban-client get sshd maxretry
3

The value three displayed should correspond to the value you provided in the sshd.local file. If you want to understand more about how to proceed with the Fail2Ban installation on Ubuntu, please read the article How to install and configure Fail2Ban on Ubuntu Server 16.04.

Step #7. Testing your Fail2Ban configuration

After configuring Fail2Ban and establishing a jail configuration file for the SSH service, we'll run a test and simulate three failed logins by entering an incorrect password for each password prompt. So, go to a remote Linux system and try to log in using the incorrect password. After three failed attempts, the connection is disconnected, and any subsequent attempts to reconnect are prevented until the ban time expires:

admin@noufal ~]# ssh sample_user@192.168.2.103
sample_user@192.168.2.103's password: 
Permission denied, please try again.
sample_user@192.168.2.103's password: 
Permission denied, please try again.
sample_user@192.168.2.103's password: 
sample_user@192.168.2.103: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
admin@noufal ~]#

Check the jail's status to learn more about the restricted client systems:

sudo fail2ban-client status sshd

Here is the output:

]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	3
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	192.168.2.105

Use the following command to unban or remove the client from the jail:

sudo fail2ban-client unban 192.168.2.105

Here is the output:

]# sudo fail2ban-client unban 192.168.2.105
1

Recheck the jail status to ensure the client is not on the banned IP list.

sudo fail2ban-client status sshd

Here is the output:

]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	3
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	1
   `- Banned IP list:	

How to uninstall or remove Fail2Ban

To uninstall Fail2Ban, use the following command:

sudo dnf remove fail2ban

Here is the output:

]# sudo dnf remove fail2ban
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                         Architecture                                         Version                                                     Repository                                             Size
==============================================================================================================================================================================================================================================
Removing:
 fail2ban                                                        noarch                                               1.0.2-3.el8                                                 @epel                                                   0  
Removing unused dependencies:
 esmtp                                                           x86_64                                               1.2-15.el8                                                  @epel                                                 100 k
 fail2ban-sendmail                                               noarch                                               1.0.2-3.el8                                                 @epel                                                  12 k
 libesmtp                                                        x86_64                                               1.0.6-18.el8                                                @epel                                                 160 k
 liblockfile                                                     x86_64                                               1.14-2.el8                                                  @baseos                                                51 k

Transaction Summary
==============================================================================================================================================================================================================================================
Remove  5 Packages

Freed space: 323 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                      1/1 
  Erasing          : fail2ban-1.0.2-3.el8.noarch                                                                                                                                                                                          1/5 
  Erasing          : fail2ban-sendmail-1.0.2-3.el8.noarch                                                                                                                                                                                 2/5 
  Running scriptlet: esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              3/5 
  Erasing          : esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              3/5 
  Erasing          : libesmtp-1.0.6-18.el8.x86_64                                                                                                                                                                                         4/5 
  Erasing          : liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 
  Running scriptlet: liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 
  Verifying        : esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              1/5 
  Verifying        : fail2ban-1.0.2-3.el8.noarch                                                                                                                                                                                          2/5 
  Verifying        : fail2ban-sendmail-1.0.2-3.el8.noarch                                                                                                                                                                                 3/5 
  Verifying        : libesmtp-1.0.6-18.el8.x86_64                                                                                                                                                                                         4/5 
  Verifying        : liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 

Removed:
  esmtp-1.2-15.el8.x86_64                  fail2ban-1.0.2-3.el8.noarch                  fail2ban-sendmail-1.0.2-3.el8.noarch                  libesmtp-1.0.6-18.el8.x86_64                  liblockfile-1.14-2.el8.x86_64                 

Complete!

Then, remove the configuration files with this command:

sudo rm -r /etc/fail2ban

Closing thoughts

Implementing a Fail2Ban install on AlmaLinux is a critical step towards improving the security of your server. You've installed a robust intrusion prevention system and proactively protected against potential attacks by following the procedures outlined.

At Liquid Web, we understand the importance of strong security measures, and we're delighted to assist you in achieving your security goals. The combination of our expertise, support, and tailored services makes Liquid Web an excellent choice for enhancing the security of your AlmaLinux server with Fail2Ban. If you have any further questions or anything specific you'd like to discuss regarding purchasing suitable Liquid Web products for Fail2Ban installation on AlmaLinux, don't hesitate to contact our team directly.

Avatar for Mohammed Noufal

About the Author: Mohammed Noufal

Mohammed Noufal is a B.Tech graduate with a decade of experience in server administration and web hosting. He is a father to two daughters and finds fulfillment in their growth. In his free time, he enjoys blogging, sharing experiences, and listening to music. With a strong technical background, family commitment, and creative outlets, he represents a well-rounded life journey.

Latest Articles

How to use kill commands in Linux

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article

Change the root password in WebHost Manager (WHM)

Read Article