Fail2ban is an open-source tool which is used to protect your Linux system from Brute Force and DDoS other automated attacks. It blocks the client which are repeatedly fail to authenticate correctly with the services configured for it. Actually, it monitoring the logs of services for malicious activity and identify the automated attacks. This guide explains how to install and configure Fail2ban on CentOS 8.

Installing Fail2ban on CentOS#

By default, standard CentOS repositories includes the Fail2ban package. So it is very straightforward to install Fail2ban package.

Step 1 – Install Fail2ban#

Run the following command as root or user with sudo privileges to install Fail2ban package:

sudo dnf install fail2ban

After the completion of the installation, start and enable the Fail2ban service.

sudo systemctl enable --now fail2ban

Step 2 – Verify Installation#

You can verify the installation by checking the service status:

sudo systemctl status fail2ban

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-09-10 03:11:19 UTC; 27s ago
       Docs: man:fail2ban(1)
...

That’s it. At this point, you have Fail2Ban running on your CentOS server.

Step 3 – Fail2ban Configuration#

By default, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf files are configuration files which comes with Fail2Ban installation. We will not direct edit these files because these can be overwritten once the package is updated.

We will make another copy of jail.conf configuration file with jail.local and then make changes to this .local file. In .local there is only changes which we need to overwrite. Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

• /etc/fail2ban/jail.conf
• /etc/fail2ban/jail.d/*.conf
• /etc/fail2ban/jail.local
• /etc/fail2ban/jail.d/*.local

Copy the jail.conf and save as a jail.local file:

sudo cp /etc/fail2ban/jail.{conf,local}

To make the configuration changes, open jail.local file using text editor:

sudo nano /etc/fail2ban/jail.local

As you can see the instruction with comment in the configuration file. Below is the configuration file with default settings. Let’s change basic configuration in this file.

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd

Whitelist IP Address#

You can add the IP address and IP ranges to the ignoreip directive to allow all time and prevent from ban. Here, you can add your local IP addresses and other system address which you want to whitelist.

You should uncomment the line starting with ignoreip and add your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 222.222.222.222 192.168.55.0/24

Ban Settings#

The values of bantime, findtime, and maxretry options define the ban time and ban conditions.

The bantime is the duration for which the IP is banned. The default value for bantime is 10 minutes and if there is no suffix specified then it will consider seconds. If you would like to change the longer time then just change the value like below:

bantime = 1d

For ban permanently use the negative number.

The findtime the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry), those failures must occur within the findtime duration.

findtime = 10m

Option maxretry is the number of failures, then it will be banned. The default value for the maxretry is 5 and it’s fine for most of users.

maxretry = 5

Conclusion#

In this guide explained how to install and configure Fail2Ban on CentOS 8 system. To learn more about Fail2Ban, visit Fail2ban documentation.

If you have any questions or suggestion, please leave a comment below.