Securing servers from unauthorized users or malicious scripts is a top priority for every IT operations team. There are many solutions you can apply to defend against attacks and breaches, including Fail2ban software solutions.
Fail2ban is an open-source intrusion detection measure that mitigates brute-force attacks against various services such as SSH and VSFTPD. It provides a range of filters including SSH that you can customize to update firewall rules and block unauthorized SSH login attempts.
fail2ban monitors server log files for any intrusion attempts and blocks the user's IP address for a specified duration after a predefined number of failed attempts. The user's IP is placed in a jail which can be set, enabled or disabled in the /etc/fail2ban/jail.conf configuration file. It helps protect your Linux server from unauthorized access, more specifically, from botnets and malicious scripts.
A jail consists of the following key elements:
- log file to analyze
- Filters to apply on log files
- The action to take when the filter matches
- Additional parameters specifying the type of match, such as: maxtry (maximum try) and bantime (ban time), etc.
In this tutorial, we will guide you to install and configure Fail2ban on RHEL 8 / CentOS 8.
(1) Install the EPEL repository
Install the EPEL (Extra Package for Enterprise Linux) package as follows
For CentOS 8
$ sudo dnf install -y epel-release
For RHEL 8
$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
(2) Install Fail2ban
To install Fail2ban, run the command below
$ sudo dnf install -y fail2ban
(3) Configure Fail2ban
By design, fail2ban will parse the log file and try to match the failregex specified in the filter. A filter picks out failed authentication attempts for a particular service, for example, using a regular expression regex to match out SSH login attempts. An action will be triggered when the maximum number of entries in the log reaches the maximum value.
By default, after 3 authentication failures, the user will be banned or "jailed" for 10 minutes. These parameters can be easily configured in the /etc/fail2ban/jail.conf file, which is a global configuration file.
All important configuration files are located in /etc/fail2ban/ directory.
Filters are stored in the /etc/fail2ban/filter.d directory. There are dozens of filters for various services, including SSH, Webmin, postfix, and more.
/etc/fail2ban/jail.conf is the main configuration file. It is not recommended to modify this file directly, the configuration will likely be overwritten or improved in future distribution updates.
[
The workaround is to create a jail.local file in the /etc/fail2ban/jail.d directory and add custom configurations for the desired services to be secured.
For demonstration purposes, we will create a jail file for securing SSH connections.
$ sudo vim /etc/fail2ban/jail.local
The following is a sample configuration file content:
[DEFAULT]
ignoreip = 192.168.2.105
bantime = 86400
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
[sshd]
enabled = true
Let's break down these parameters and see what they represent.
- ignoreip - define a list of IP addresses or domain names that are not banned
- bantime – As the name suggests, this specifies the duration in seconds to ban the remote host
- maxretry - this is the number of failed login attempts before the host is blocked/banned
- findtime – Duration in seconds the host will be blocked after a maxtry attempt
- banaction – banned action
- backend – the system used to fetch log files
Our configuration contains the following:
When an IP address has 3 authentication failure records in the last 5 minutes, the IP address will be banned for 24 hours (except for the host with IP 192.168.2.105)
Save and exit the configuration file.
(4) Enable Fail2ban
After configuring the jail file for SSH, we will start and enable fail2ban on system boot.
$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban
To confirm the status of fail2ban, execute the following command
$ sudo systemctl status fail2ban
We can observe that fail2ban works as expected with
Now let's move on and see how Fail2ban works.
(4) Fail2ban practical exercise
Now let's go a step further and see Fail2ban in action. To monitor banned IP addresses, the fail2ban-client utility comes in handy. For example, to get the status of an ssh jail, you can use the command
$ sudo fail2ban-client status sshd
Currently, there are no banned IP entries because we haven't telnetted into the server yet.
We will use the putty SSH client to log in from a Windows PC with a different IP than the one specified in jail.local.
From the output, we can clearly see that we cannot reach the server. When we checked the status again, we found that one IP has been banned as shown in the picture.
If you need to delete the IP from the ban list, please perform the following operations to unban it.
$ sudo fail2ban-client unban 192.168.2.101
To view more information about fail2ban rules and policies, visit the jail.conf man page
$ man jail.conf