1. Install Fail2Ban
Because Fail2Ban is not available from CentOS, we will have to install EPEL repository first.
The following commands must be executed after switching to the root user.
yum install epel-release
Follow up by installing Fail2Ban:
yum install fail2ban fail2ban-systemd
2. Running Fail2Ban service
Execute the following command lines to start Fail2Ban on the server.
systemctl enable fail2ban systemctl start fail2ban
3. Copy the Configuration File
The default Fail2Ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.
We need to copy this to a file called jail.local for Fail2Ban to find it.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many possible services that may need protection are in the file already. Each one is located in its own section, configured and turned off.
4. Configure defaults in jail.local
Open up the new Fail2Ban configuration file:
vi /etc/fail2ban/jail.local
The first section of defaults covers the basic rules that Fail2Ban will apply to all services enabled for Fail2Ban that are not overridden in the service’s own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.
You can see the default section below:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you to white list certain IP addresses and make sure that they are not locked out. Including your address will guarantee that you do not accidentally ban yourself from your own server.
Add the banaction parameter to make sure we are using iptables for firewall configuration.
The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes – you may raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.
Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
5. Add a jail file to protect SSH
Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.
So lets create a new jail for SSH with the vi editor.
vi /etc/fail2ban/jail.d/sshd.local
In the above file, add the following lines of code:
[sshd] enabled = true port = ssh action = iptables-multiport logpath = /var/log/secure maxretry = 5 bantime = 600
Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word “false”.
The port parameter defines which port Fail2Ban should be watching, if default port 22 is in use, then there is no need to change this parameter. Otherwise type the port you are using for SSH access.
Action describes the steps that Fail2Ban will take to ban a matching IP address. Each action refers to a file within the action.d directory. The default ban action, “iptables-multiport” can be found at /etc/fail2ban/action.d/iptables-multiport.conf .
logpath refers to the log location that Fail2Ban will track.
The max retry and bantime lines within the SSH section have the same definitions as the default configuration file. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount and ban time for SSH here.
6. Restart Fail2Ban
After making any changes to the Fail2Ban config, always be sure to restart Fail2Ban.
systemctl restart fail2ban
You can see the rules that fail2ban puts in effect within the IP table:
iptables -L -n
Check Fail2Ban Status
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
fail2ban-client status
You can also query a specific jail status using the following command:
fail2ban-client status sshd
Manually Unban IP Banned by Fail2Ban
If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:
fail2ban-client set JAIL unbanip IPADDRESS
eg. Unban IP 192.168.1.101, that was banned according to [sshd] jail:
fail2ban-client set sshd unbanip 192.168.1.101