What Is Fail2Ban?
Fail2ban is an open-source software that actively scans the servers log files in real-time for any brute force login attempts, and if found, summarily blocks the attack using the servers firewall software (firewalld or iptables). Fail2Ban runs as a background process and continuously scans the log files for unusual login patterns and security breach attempts.
In order to install Fail2Ban on CentOS 7, we first need to enable the EPEL (Extra Packages for Enterprise Linux) repository. The following commands will be run as the root user.
[root@host ~]# yum install epel-release [root@host ~]# yum install fail2ban fail2ban-systemd
Once fail2ban is installed, we need to configure and adjust the software with an updated jail.local configuration file. As a side note, the fail2ban software stores its configuration files within the /etc/fail2ban folder. The jail.local file supersedes the jail.conf file and is normally used to verify your custom updates are safe.
First, we will make a copy of the “jail.conf” file and re-save it with the name “jail.local”:
[root@host ~]# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Next, we will need to edit the jail.local file in Vim using the following command.
[root@host ~]# vim /etc/fail2ban/jail.local
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Add your local IP address onto the ignoreip line.
Add A Jail File To Protect SSH Access
Next, we need to create and edit a new file in Vim called sshd.local.
[root@host ~]# touch /etc/fail2ban/jail.d/sshd.local && chmod +x /etc/fail2ban/jail.d/sshd.local [root@host ~]# vim /etc/fail2ban/jail.d/sshd.local
After this, we add the following lines of code.
[sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
Ensure that the parameter ‘enabled’ is set to ‘true’. In order to enable protection, set to True, To disable protection, set it to False. The filter parameter on line 167 in the jail.conf file
filter = %(__name__)s[mode=%(mode)s]
checks the sshd configuration file against this setting located in the path /etc/fail2ban/filter.d/sshd.conf.
The action of this parameter is used to define the IP address needing to be banned using the filter available in the /etc/fail2ban/action.d/firewallcmd-ipset.conf file.
Additionally, the SSH port parameter may be modified to a new value to match your SSH settings. If you are using port 22, there is no need for a change in this parameter. Other parameters include:
- Logpath: Logpath defines the path where the log file will be stored. This log file is scanned by Fail2Ban.
- Maxretry: Maxetry is used to define the max limit of failed login entries.
- Bantime: The bantime parameter is used to define the number of seconds a host will be banned.
If you are not running the CentOS Firewall (firewalld), enable it:
[root@host ~]# systemctl enable firewalld [root@host ~]# systemctl start firewalld
Run the following commands to enable and start the Fail2Ban software on the server.
[root@host ~]# systemctl enable fail2ban [root@host ~]# systemctl start fail2ban
To check the status of the Fail2Ban jails, run the following command:
[root@host ~]# fail2ban-client status
The result should be similar to this:
[root@host ~]# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
Unbanning An IP Address
In order to manually remove an IP address from the banned list, use the following command:
[root@host ~]# fail2ban-client set sshd unbanip IPADDRESS
This will remove the IP.
Are you concerned with the security of your server?
Have you been seeing multiple login attempts when logging into your server? Liquid Web has several state of the art security packages available to ensure your data is protected.
Give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Solutions or Experienced Hosting advisors to learn how you can take advantage of these techniques today!