In this guide we shall discuss how to install and configure Fail2ban on Centos 8 | RHEL 8. Fail2ban is an open-source intrusion detection and prevention tool that scans for malicious IP addresses in the access logs which show signs of multiple failed password login attempts. The tool then bans the IPs by updating firewall rules to reject the IP addresses.
Fail2ban can be used to protect different services on a Linux system including sshd, wordpress access, postfix etc.
Install Fail2ban on CentOS 8 | RHEL 8
You have to install EPEL repository on your CentOS/RHEL 8 system to get the Fail2ban package.
sudo dnf -y install epel-release
Install Fail2ban package:
sudo dnf -y install fail2ban
Start and enable Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Configure Fail2ban on CentOS 8 | RHEL 8
After a successful installation, the next step is to configure fail2ban.
Fail2ban configuration files reside in the /etc/fail2ban/
directory.
The main configuration file is /etc/fail2ban/jail.conf
. The filters are stored in /etc/fail2ban/filter.d/
directory.
It is not recommended to make any changes to the jail.conf
file as the configuration will be overwritten by those in files in *.local.
So the best practice is creating a separate file, jail.local that will contain our configurations.
Let’s configure some defaults in the /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
Add the following parameters:
[DEFAULT]
bantime = 21600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
banaction_allports = iptables-allports
A brief description of the above parameters:
- Bantime – The amount of time the IP will be banned in seconds
- maxretry – the number of retries before a host is banned
- Findtime – fail2ban bans the host if it has generated “maxretry” in the last “findtime” seconds.
- banaction – the type of ban action to be implemented
- ignoreip – You can specify the IP addresses that will be ignored by fail2ban
- backend – the backend used to get log file modification.
- Banaction_allports – Fail2ban blocks the remote IP on every port
Configuring Jails to secure SSH, Postfix and Dovecot
In this section we shall look at how to configure Fail2ban jails for SSH, Postfix and dovecot.
In the /etc/fail2ban/jail.local
file, add parameters for the services you wish to enable.
For SSH :
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
For Postfix :
[postfix]
enabled = true
port = smtp,465,submission
Dovecot:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
Postfix-SASL
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
In the above configuration, the following attributes have been used:
- Enabled – can be set to true or false to enable/disable the filter.
- Port – the port on which the service is running. You can use the names of the service if the ports being used are the default ones, otherwise you need to explicitly specify the port number
- Filter – The name of the filter file located in /etc/fail2ban/filter.d/ directory which contains the fileregex information used to parse logs.
- Logpath – The path to the service’s logs
Using Fail2ban client
Fail2ban-client is the command line tool that is used to run Fail2ban from the shell.
The general usage is fail2ban-client <COMMAND>
Below is a list of Fail2ban-client commands:
start
: used to start fail2ban server and jailsreload
: used to reload Fail2ban configurationstop
: stops the serverstatus
: Used to check the status of the server and enable jailsstatus JAIL
: Shows the status of the jails and the currently banned IPs
Examples:
- Fail2ban-client status
$ sudo fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth
2. Fail2ban-client status sshd
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 22
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 4
`- Banned IP list:
3. Banned IPs:
To remove an IP from a jail, you can do so by the following command:
$ sudo fail2ban-client set <jailname> unbanip <IP>
Example:
$ sudo fail2ban-client set sshd unbanip 192.168.100.12
In the above example, we have removed IP 192.168.100.12 from sshd jail.
Conclusion
We have gone through a guide on how to setup Fail2ban on CentOS/RHEL 8. The tool is useful for intrusion detection and prevention of attacks such as brute force on a RHEL/CentOS 8 system.
Check out other related articles from our website;
- Automate Penetration Testing Operations with Infection Monkey
- Faraday – Penetration Testing IDE & Vulnerability Management Platform