Projekt

Allgemein

Profil

Setup fail2ban » Historie » Version 8

Jeremias Keihsler, 27.06.2023 20:32

1 1 Jeremias Keihsler
h1. Setup fail2ban
2
3
h2. Requirements
4
5
To install fail2ban you will need the following:
6
* a installed and supported operating system (e.g. CentOS 8.x)
7
* root-access
8
* a fast internet connection
9
* [[repo_epel|EPEL]]
10
11
h2. Preliminary Note
12
13
This procedure is based on a documentation taken from:
14
* https://www.howtoforge.com/how-to-install-and-configure-fail2ban-on-fedora-33-centos-8/
15
* https://www.cyberciti.biz/faq/how-to-protect-ssh-with-fail2ban-on-centos-8/
16
17
Most Linux servers offer an SSH login via Port 22 for remote administration purposes. This port is a well-known port, therefore, it is often attacked by brute force attacks. Fail2ban is a software that scans log files for brute force login attempts in real-time and bans the attackers with firewalld or iptables. Fail2ban recognizes unwanted access or security breach efforts to the server within the administrator set time frame and blocks the IP addresses which show signs of brute force attacks or dictionary attacks. This program works in the background and continuously scans the log files for unusual login patterns and security breach attempts.
18
19
h2. Install 
20
21
<pre><code class="bash">
22
yum install fail2ban
23
</code></pre>
24
25 2 Jeremias Keihsler
if you are into noise ...
26
<pre><code class="bash">
27
yum install whois
28
</code></pre>
29
30
31 1 Jeremias Keihsler
h2. Start/Enable Service
32
33
<pre><code class="bash">
34
systemctl enable fail2ban
35
systemctl start fail2ban
36
</code></pre>
37
38 6 Jeremias Keihsler
When you are not running the CentOS Firewall yet, then start it:
39
40
<pre><code class="shell">
41
systemctl enable firewalld
42
systemctl start firewalld
43
</code></pre>
44
45 1 Jeremias Keihsler
h2. config
46
47
The @/etc/fail2ban/jail.local@ file overrides defaults set in @/etc/fail2ban/jail.conf@ file. Therefore, create or edit the jail.local
48
49
<pre>
50
[DEFAULT]
51
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
52
bantime = 86400
53
 
54
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
55
findtime = 600
56
maxretry = 3
57
 
58
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
59
# will not ban a host which matches an address in this list. Several addresses
60
# can be defined using space (and/or comma) separator. For example, add your 
61
# static IP address that you always use for login such as 103.1.2.3
62
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
63
 
64
# Call iptables to ban IP address
65 5 Jeremias Keihsler
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
66 1 Jeremias Keihsler
 
67
# Enable sshd protection
68
[sshd]
69
enabled = true
70
</pre>
71
72 3 Jeremias Keihsler
For each jail there may be a local configuration in @/etc/fail2ban/jail.d/@
73 6 Jeremias Keihsler
74
h3.  Add a jail file to protect SSH.
75
76
Create a new file with the editor
77
78
<pre><code class="shell">
79
vim /etc/fail2ban/jail.d/sshd.local
80
</code></pre>
81
82
To the above file, add the following lines of code.
83
84 3 Jeremias Keihsler
<pre>
85
[sshd]
86
enabled = true
87
findtime = 3600
88
maxretry = 3
89 5 Jeremias Keihsler
bantime = -1
90 3 Jeremias Keihsler
</pre>
91 1 Jeremias Keihsler
92 6 Jeremias Keihsler
Parameter enabled is set to true, in order to provide protection, to deactivate protection, it is set to false. 
93
94
The parameter action is used to derive the IP address which needs to be banned using the filter available from /etc/fail2ban/action.d/firewallcmd-rich-rules.conf.
95
96
Port parameter may be changed to a new value such as port=1212, as is the case. When using port 22, there is no need to change this parameter.
97
98
Maxretry is used to set the maximum limit for failed login entries.
99
100
Bantime parameter is used to set the duration of seconds for which a host needs to be banned.
101
102 8 Jeremias Keihsler
h3. sendmail-action override to work with postfix-smarthost
103
104
<pre><code class="shell">
105
cp /etc/fail2ban/action.d/sendmail-common.conf /etc/fail2ban/action.d/sendmail-common.local
106
</code></pre>
107
108
change in section init sender from "fail2ban" to "root"
109
110
<pre><code class="ini">
111
[Init]
112
sender = root
113
</code></pre>
114
115
116
117 1 Jeremias Keihsler
h2. Status
118
119
<pre><code class="shell">
120
fail2ban-client status
121
fail2ban-client status <jail>
122
fail2ban-client status sshd
123
</code></pre>
124
125 6 Jeremias Keihsler
h2. Checking the banned IPs by Fail2Ban
126
127
<pre><code class="shell">
128
firewall-cmd --list-all
129
</code></pre>
130
131
h3. Unbanning an IP address
132
133
In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs unbanning. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. The following command does the job.
134 1 Jeremias Keihsler
135
<pre><code class="shell">
136
fail2ban-client set <jail> unbanip <ip>
137
fail2ban-client set sshd unbanip 123.123.123.123
138
</code></pre>