Setup fail2ban » Historie » Version 4
Jeremias Keihsler, 13.04.2019 12:27
| 1 | 1 | Jeremias Keihsler | h1. Setup fail2ban |
|---|---|---|---|
| 2 | |||
| 3 | 2 | Jeremias Keihsler | h2. Requirements |
| 4 | |||
| 5 | To install fail2ban you will need the following: |
||
| 6 | * a installed and supported operating system (e.g. CentOS 7.x) |
||
| 7 | * root-access |
||
| 8 | * a fast internet connection |
||
| 9 | * [[repo_epel|EPEL]] |
||
| 10 | |||
| 11 | h2. Preliminary Note |
||
| 12 | |||
| 13 | This procedure is based on a documentation taken from https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/ |
||
| 14 | |||
| 15 | Most Linux servers offer an SSH login via Port 22 for remote administration purposes. This port is a well-known port, therefore, it is often attacked by brute force attacks. Fail2ban is a software that scans log files for brute force login attempts in real-time and bans the attackers with firewalld or iptables. Fail2ban recognizes unwanted access or security breach efforts to the server within the administrator set time frame and blocks the IP addresses which show signs of brute force attacks or dictionary attacks. This program works in the background and continuously scans the log files for unusual login patterns and security breach attempts. |
||
| 16 | |||
| 17 | h2. Install |
||
| 18 | |||
| 19 | 3 | Jeremias Keihsler | <pre><code class="bash"> |
| 20 | 2 | Jeremias Keihsler | yum install fail2ban fail2ban-systemd |
| 21 | </code></pre> |
||
| 22 | 4 | Jeremias Keihsler | |
| 23 | If you have SELinux installed, then update the SELinux policies: |
||
| 24 | |||
| 25 | <pre><code class="bash"> |
||
| 26 | yum update -y selinux-policy* |
||
| 27 | </code></pre> |
||
| 28 | |||
| 29 | h2. Configure settings for Fail2Ban |
||
| 30 | |||
| 31 | Once installed, we will have to configure and customize the software with a jail.local configuration file. The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe. |
||
| 32 | |||
| 33 | Make a copy of the jail.conf file and save it with the name jail.local: |
||
| 34 | |||
| 35 | <pre><code class="bash"> |
||
| 36 | cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
||
| 37 | </code></pre> |
||
| 38 | |||
| 39 | Open the jail.local file for editing in Nano with the following command. |
||
| 40 | |||
| 41 | <pre><code class="bash"> |
||
| 42 | vim /etc/fail2ban/jail.local |
||
| 43 | </code></pre> |
||
| 44 | |||
| 45 | The file code may consist of many lines of codes which execute to prevent a ban on one or many IP addresses, set bantime duration, etc. A typical jail configuration file contains the following lines. |
||
| 46 | |||
| 47 | <pre><code class="ini"> |
||
| 48 | [DEFAULT] |
||
| 49 | |||
| 50 | # |
||
| 51 | # MISCELLANEOUS OPTIONS |
||
| 52 | # |
||
| 53 | |||
| 54 | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not |
||
| 55 | # ban a host which matches an address in this list. Several addresses can be |
||
| 56 | # defined using space separator. |
||
| 57 | ignoreip = 127.0.0.1/8 |
||
| 58 | |||
| 59 | # External command that will take an tagged arguments to ignore, e.g. <ip>, |
||
| 60 | # and return true if the IP is to be ignored. False otherwise. |
||
| 61 | # |
||
| 62 | # ignorecommand = /path/to/command <ip> |
||
| 63 | ignorecommand = |
||
| 64 | |||
| 65 | # "bantime" is the number of seconds that a host is banned. |
||
| 66 | bantime = 600 |
||
| 67 | |||
| 68 | # A host is banned if it has generated "maxretry" during the last "findtime" |
||
| 69 | # seconds. |
||
| 70 | findtime = 600 |
||
| 71 | |||
| 72 | # "maxretry" is the number of failures before a host get banned. |
||
| 73 | maxretry = 5 |
||
| 74 | </code></pre> |