Projekt

Allgemein

Profil

Setup fail2ban » Historie » Version 2

Jeremias Keihsler, 22.10.2021 12:22

1 1 Jeremias Keihsler
h1. Setup fail2ban
2
3
h2. Requirements
4
5
To install fail2ban you will need the following:
6
* a installed and supported operating system (e.g. CentOS 8.x)
7
* root-access
8
* a fast internet connection
9
* [[repo_epel|EPEL]]
10
11
h2. Preliminary Note
12
13
This procedure is based on a documentation taken from:
14
* https://www.howtoforge.com/how-to-install-and-configure-fail2ban-on-fedora-33-centos-8/
15
* https://www.cyberciti.biz/faq/how-to-protect-ssh-with-fail2ban-on-centos-8/
16
17
Most Linux servers offer an SSH login via Port 22 for remote administration purposes. This port is a well-known port, therefore, it is often attacked by brute force attacks. Fail2ban is a software that scans log files for brute force login attempts in real-time and bans the attackers with firewalld or iptables. Fail2ban recognizes unwanted access or security breach efforts to the server within the administrator set time frame and blocks the IP addresses which show signs of brute force attacks or dictionary attacks. This program works in the background and continuously scans the log files for unusual login patterns and security breach attempts.
18
19
h2. Install 
20
21
<pre><code class="bash">
22
yum install fail2ban
23
</code></pre>
24
25 2 Jeremias Keihsler
if you are into noise ...
26
<pre><code class="bash">
27
yum install whois
28
</code></pre>
29
30
31 1 Jeremias Keihsler
h2. Start/Enable Service
32
33
<pre><code class="bash">
34
systemctl enable fail2ban
35
systemctl start fail2ban
36
</code></pre>
37
38
h2. config
39
40
The @/etc/fail2ban/jail.local@ file overrides defaults set in @/etc/fail2ban/jail.conf@ file. Therefore, create or edit the jail.local
41
42
<pre>
43
[DEFAULT]
44
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
45
bantime = 86400
46
 
47
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
48
findtime = 600
49
maxretry = 3
50
 
51
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
52
# will not ban a host which matches an address in this list. Several addresses
53
# can be defined using space (and/or comma) separator. For example, add your 
54
# static IP address that you always use for login such as 103.1.2.3
55
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
56
 
57
# Call iptables to ban IP address
58
banaction = iptables-multiport
59
 
60
# Enable sshd protection
61
[sshd]
62
enabled = true
63
</pre>
64
65
h2. Status
66
67
<pre><code class="shell">
68
fail2ban-client status
69
fail2ban-client status <jail>
70
fail2ban-client status sshd
71
</code></pre>
72
73
h3. unban IP
74
75
<pre><code class="shell">
76
fail2ban-client set <jail> unbanip <ip>
77
fail2ban-client set sshd unbanip 123.123.123.123
78
</code></pre>