Install fail2ban on RHEL/CentOS

Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.

Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.

Install Fail2ban in Centos

Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.

By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party EPEL repository in your Linux box:

RHEL/CentOS 6 32-Bit 
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
RHEL/CentOS 6 64-Bit 
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm 

Once you’ve added repository, install it using following command:

# yum install fail2ban
Configuring Default section for Fail2Ban

The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using vim or any editor that you feel comfortable.

# vim /etc/fail2ban/jail.conf

Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.

[DEFAULT]
ignoreip = 127.0.0.1/8 178.124.197.145 
bantime = 600
findtime = 600
maxretry = 3

ignoreip : IgnoreIP section allows you to white list certain IP addresses from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.

The following section is the default ssh-iptables section and it is turned on by default.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@h77-245-66-42.host.redstation.co.uk]
logpath  = /var/log/secure
maxretry = 5

enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
logpath : The log path is the location of logs where fail2ban will track.
maxretry : The max retry section is the same definition as the default option that we discussed above.

Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.

# chkconfig --level 23 fail2ban on
# service fail2ban restart
Check the rules that fail2ban added in effect within the IP table section.

# iptables -L

You see the banned IP address as:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
...
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP all -- 15.13.14.40 anywhere
RETURN     all  --  anywhere             anywhere
...

To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.

# cat /var/log/secure | grep 'Failed password' |  sort | uniq -c
   1 Feb 20 19:47:40 h77-245-66-42 sshd[24566]: Failed password for root from 220.117.148.111 port 51802 ssh2
   1 Feb 20 19:47:45 h77-245-66-42 sshd[24570]: Failed password for root from 220.117.148.111 port 51954 ssh2
   1 Feb 20 19:47:49 h77-245-66-42 sshd[24575]: Failed password for root from 220.117.148.111 port 52113 ssh2
...

To remove the banned IP address from the fail2ban iptable rules. Run the following command:

# iptables -D fail2ban-ssh 1

For getting mail about blocked IP I recommend make aliases for user root in /etc/aliases.


Links:

Scroll to top