DokuWiki » Infrastructure » Operating System » CentOS 7

h1. Setup fail2ban

h2. Requirements

To install fail2ban you will need the following:

* a installed and supported operating system (e.g. CentOS 7.x)

* root-access

* a fast internet connection

* [[repo_epel|EPEL]]

h2. Preliminary Note

This procedure is based on a documentation taken from https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/

Most Linux servers offer an SSH login via Port 22 for remote administration purposes. This port is a well-known port, therefore, it is often attacked by brute force attacks. Fail2ban is a software that scans log files for brute force login attempts in real-time and bans the attackers with firewalld or iptables. Fail2ban recognizes unwanted access or security breach efforts to the server within the administrator set time frame and blocks the IP addresses which show signs of brute force attacks or dictionary attacks. This program works in the background and continuously scans the log files for unusual login patterns and security breach attempts.

h2. Install 

<pre><code class="bash">

yum install fail2ban fail2ban-systemd

</code></pre>

If you have SELinux installed, then update the SELinux policies:

<pre><code class="bash">

yum update -y selinux-policy*

</code></pre>

h2. Configure settings for Fail2Ban

Once installed, we will have to configure and customize the software with a jail.local configuration file. The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe.

Make a copy of the jail.conf file and save it with the name jail.local:

<pre><code class="bash">

cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

</code></pre>

Open the jail.local file for editing with the following command.

<pre><code class="bash">

vim /etc/fail2ban/jail.local

</code></pre>

The file code may consist of many lines of codes which execute to prevent a ban on one or many IP addresses, set bantime duration, etc. A typical jail configuration file contains the following lines.

<pre><code class="ini">

[DEFAULT]

#

# MISCELLANEOUS OPTIONS

#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,

# and return true if the IP is to be ignored. False otherwise.

#

# ignorecommand = /path/to/command <ip>

ignorecommand =

# "bantime" is the number of seconds that a host is banned.

bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

</code></pre>

Ignoreip is used to set the list of IPs which will not be banned. The list of IP addresses should be given with a space separator. This parameter is used to set your personal IP address (if you access the server from a fixed IP).

Bantime parameter is used to set the duration of seconds for which a host needs to be banned.

Findtime is the parameter which is used to check if a host must be banned or not. When the host generates maxrety in its last findtime, it is banned.

Maxretry is the parameter used to set the limit for the number of retry's by a host, upon exceeding this limit, the host is banned.

h2. Add a jail file to protect SSH.

Create a new file with the editor

<pre><code class="shell">

vim /etc/fail2ban/jail.d/sshd.local

</code></pre>

To the above file, add the following lines of code.

<pre><code class="ini">

[sshd]

enabled = true

port = ssh

#action = firewallcmd-ipset

logpath = %(sshd_log)s

maxretry = 5

bantime = 86400

</code></pre>

Parameter enabled is set to true, in order to provide protection, to deactivate protection, it is set to false. The filter parameter checks the sshd configuration file, located in the path /etc/fail2ban/filter.d/sshd.conf.

The parameter action is used to derive the IP address which needs to be banned using the filter available from /etc/fail2ban/action.d/firewallcmd-ipset.conf.

Port parameter may be changed to a new value such as port=1212, as is the case. When using port 22, there is no need to change this parameter.

Logpath provides the path where the log file is stored. This log file is scanned by Fail2Ban.

Maxretry is used to set the maximum limit for failed login entries.

Bantime parameter is used to set the duration of seconds for which a host needs to be banned.

h2. Running Fail2Ban service

When you are not running the CentOS Firewall yet, then start it:

<pre><code class="shell">

systemctl enable firewalld

systemctl start firewalld

</code></pre>

Execute the following lines of command to run the protective Fail2Ban software on the server.

<pre><code class="shell">

systemctl enable fail2ban

systemctl start fail2ban 

</code></pre>

h2. Tracking Failed login entries

The following command is used to check whether there had been failed attempts to login to sever via ssh port.

<pre><code class="shell">

cat /var/log/secure | grep 'Failed password'

</code></pre>

Executing the above command will get a list of failed root password attempts from different IP addresses. The format of results will be similar to the one showed below:

<pre><code class="shell">

Apr 4 17:05:12 htf sshd[4287]: Failed password for root from 108.61.157.25 port 23121 ssh2

Apr 4 17:05:15 htf sshd[3154]: Failed password for root from 108.61.157.25 port 14486 ssh2

Apr 4 17:05:16 htf sshd[3154]: Failed password for root from 108.61.157.25 port 24157 ssh2

Apr 4 17:05:18 htf sshd[3154]: Failed password for root from 108.61.157.25 port 24157 ssh2

</code></pre>

h2. Checking the banned IPs by Fail2Ban

The following command is used to get a list of banned IP addresses which were recognized as brute force threats.

<pre><code class="shell">

iptables -L -n

</code></pre>

h2. Check the Fail2Ban Status

Use the following command to check the status of the Fail2Ban jails:

<pre><code class="shell">

fail2ban-client status

</code></pre>

The result should be similar to this:

<pre><code class="shell">

[root@htf ]# fail2ban-client status

Status

|- Number of jail: 1

`- Jail list: sshd

</code></pre>

h2. Unbanning an IP address

In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs unbanning. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. The following command does the job.

<pre><code class="shell">

fail2ban-client set sshd unbanip IPADDRESS

</code></pre>