Setup fail2ban » Historie » Version 3
Jeremias Keihsler, 21.07.2025 07:51
| 1 | 1 | Jeremias Keihsler | h1. Setup fail2ban |
|---|---|---|---|
| 2 | |||
| 3 | h2. Requirements |
||
| 4 | |||
| 5 | To install fail2ban you will need the following: |
||
| 6 | * a installed and supported operating system (e.g. CentOS 9.x) |
||
| 7 | * root-access |
||
| 8 | * a fast internet connection |
||
| 9 | * [[repo_epel|EPEL]] |
||
| 10 | |||
| 11 | h2. Preliminary Note |
||
| 12 | |||
| 13 | This procedure is based on a documentation taken from: |
||
| 14 | * https://www.howtoforge.com/how-to-install-and-configure-fail2ban-on-fedora-33-centos-8/ |
||
| 15 | * https://www.cyberciti.biz/faq/how-to-protect-ssh-with-fail2ban-on-centos-8/ |
||
| 16 | |||
| 17 | Most Linux servers offer an SSH login via Port 22 for remote administration purposes. This port is a well-known port, therefore, it is often attacked by brute force attacks. Fail2ban is a software that scans log files for brute force login attempts in real-time and bans the attackers with firewalld or iptables. Fail2ban recognizes unwanted access or security breach efforts to the server within the administrator set time frame and blocks the IP addresses which show signs of brute force attacks or dictionary attacks. This program works in the background and continuously scans the log files for unusual login patterns and security breach attempts. |
||
| 18 | |||
| 19 | h2. Install |
||
| 20 | |||
| 21 | <pre><code class="bash"> |
||
| 22 | dnf install fail2ban |
||
| 23 | </code></pre> |
||
| 24 | |||
| 25 | if you are into noise ... |
||
| 26 | <pre><code class="bash"> |
||
| 27 | dnf install whois |
||
| 28 | </code></pre> |
||
| 29 | |||
| 30 | |||
| 31 | h2. Start/Enable Service |
||
| 32 | |||
| 33 | <pre><code class="bash"> |
||
| 34 | systemctl enable fail2ban |
||
| 35 | systemctl start fail2ban |
||
| 36 | </code></pre> |
||
| 37 | |||
| 38 | When you are not running the CentOS Firewall yet, then start it: |
||
| 39 | |||
| 40 | <pre><code class="shell"> |
||
| 41 | systemctl enable firewalld |
||
| 42 | systemctl start firewalld |
||
| 43 | </code></pre> |
||
| 44 | |||
| 45 | h2. config |
||
| 46 | |||
| 47 | 2 | Jeremias Keihsler | The @/etc/fail2ban/jail.local@ file overrides defaults set in @/etc/fail2ban/jail.conf@ file. Therefore, create or edit the jail.local if needed. |
| 48 | 1 | Jeremias Keihsler | |
| 49 | For each jail there may be a local configuration in @/etc/fail2ban/jail.d/@ |
||
| 50 | |||
| 51 | h3. Add a jail file to protect SSH. |
||
| 52 | |||
| 53 | Create a new file with the editor |
||
| 54 | |||
| 55 | <pre><code class="shell"> |
||
| 56 | vim /etc/fail2ban/jail.d/sshd.local |
||
| 57 | </code></pre> |
||
| 58 | |||
| 59 | To the above file, add the following lines of code. |
||
| 60 | |||
| 61 | <pre> |
||
| 62 | [sshd] |
||
| 63 | enabled = true |
||
| 64 | 2 | Jeremias Keihsler | findtime = 7200 |
| 65 | maxretry = 2 |
||
| 66 | bantime = 7d |
||
| 67 | action = firewallcmd-rich-rules |
||
| 68 | sendmail-whois[name=sshd, dest=me@example.com] |
||
| 69 | 1 | Jeremias Keihsler | </pre> |
| 70 | |||
| 71 | Parameter enabled is set to true, in order to provide protection, to deactivate protection, it is set to false. |
||
| 72 | |||
| 73 | The parameter action is used to derive the IP address which needs to be banned using the filter available from /etc/fail2ban/action.d/firewallcmd-rich-rules.conf. |
||
| 74 | |||
| 75 | Port parameter may be changed to a new value such as port=1212, as is the case. When using port 22, there is no need to change this parameter. |
||
| 76 | |||
| 77 | Maxretry is used to set the maximum limit for failed login entries. |
||
| 78 | |||
| 79 | Bantime parameter is used to set the duration of seconds for which a host needs to be banned. |
||
| 80 | |||
| 81 | h3. sendmail-action override to work with postfix-smarthost |
||
| 82 | |||
| 83 | <pre><code class="shell"> |
||
| 84 | cp /etc/fail2ban/action.d/sendmail-common.conf /etc/fail2ban/action.d/sendmail-common.local |
||
| 85 | </code></pre> |
||
| 86 | |||
| 87 | change in section init sender from "fail2ban" to "root" |
||
| 88 | |||
| 89 | <pre><code class="ini"> |
||
| 90 | [Init] |
||
| 91 | sender = root |
||
| 92 | </code></pre> |
||
| 93 | |||
| 94 | h3. error in log like 'exec: ports="1:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule' |
||
| 95 | |||
| 96 | change port-definition from <pre>1:65535</pre> to <pre>1-65535</pre> |
||
| 97 | |||
| 98 | <pre><code class="shell"> |
||
| 99 | cp /etc/fail2ban/action.d/firewallcmd-common.conf /etc/fail2ban/action.d/firewallcmd-common.local |
||
| 100 | vim /etc/fail2ban/action.d/firewallcmd-common.local |
||
| 101 | </code></pre> |
||
| 102 | |||
| 103 | <pre><code class="ini"> |
||
| 104 | [Init] |
||
| 105 | port = 1-65535 |
||
| 106 | </code></pre> |
||
| 107 | |||
| 108 | h2. Status |
||
| 109 | |||
| 110 | <pre><code class="shell"> |
||
| 111 | fail2ban-client status |
||
| 112 | fail2ban-client status <jail> |
||
| 113 | fail2ban-client status sshd |
||
| 114 | </code></pre> |
||
| 115 | |||
| 116 | h2. Checking the banned IPs by Fail2Ban |
||
| 117 | |||
| 118 | <pre><code class="shell"> |
||
| 119 | firewall-cmd --list-all |
||
| 120 | </code></pre> |
||
| 121 | |||
| 122 | h3. Unbanning an IP address |
||
| 123 | |||
| 124 | In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs unbanning. The name "sshd" is the name of the jail, in this case the "sshd" jail that we configured above. The following command does the job. |
||
| 125 | |||
| 126 | <pre><code class="shell"> |
||
| 127 | fail2ban-client set <jail> unbanip <ip> |
||
| 128 | fail2ban-client set sshd unbanip 123.123.123.123 |
||
| 129 | </code></pre> |