All servers that are exposed to the Internet are at risk of malware attacks. For example, if you have a software connected to a public network, attackers can use brute-force attempts to gain access to the application.
Fail2ban is an open-source tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP for a specific length of time. The default system firewall is used as a ban action. When the ban period expires, the IP address is removed from the ban list.
This article explains how to install and configure Fail2ban on CentOS 8.
Installing Fail2ban on CentOS
The Fail2ban package is included in the default CentOS 8 repositories. To install it, enter the following command as root or user with sudo privileges :
sudo dnf install fail2ban
Once the installation is completed, enable and start the Fail2ban service:
sudo systemctl enable --now fail2ban
To check whether the Fail2ban server is running, type:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-09-10 12:53:45 UTC; 8s ago
...
That’s it. At this point, you have Fail2Ban running on your CentOS server.
Fail2ban Configuration
The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf
and /etc/fail2ban/jail.d/00-firewalld.conf
. These files should not be modified as they may be overwritten when the package is updated.
Fail2ban reads the configuration files in the following order:
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local
Each .local
file overrides the settings from the .conf
file.
The easiest way to configure Fail2ban is to copy the jail.conf
to jail.local
and modify the .local
file. More advanced users can build a .local
configuration file from scratch. The .local
file doesn’t have to include all settings from the corresponding .conf
file, only those you want to override.
Create a .local
configuration file from the default jail.conf
file:
sudo cp /etc/fail2ban/jail.{conf,local}
To start configuring the Fail2ban server open, the jail.local
file with your text editor :
sudo nano /etc/fail2ban/jail.local
The file includes comments describing what each configuration option does. In this example, we’ll change the basic settings.
Whitelist IP Addresses
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip
directive. Here you should add your local PC IP address and all other machines that you want to whitelist.
Uncomment the line starting with ignoreip
and add your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24
Ban Settings
The values of bantime
, findtime
, and maxretry
options define the ban time and ban conditions.
bantime
is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the bantime
value is set to 10 minutes. Generally, most users will want to set a longer ban time. Change the value to your liking:
bantime = 1d
To permanently ban the IP, use a negative number.
findtime
is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry
, see below), those failures must occur within the findtime
duration.
findtime = 10m
maxretry
is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.
maxretry = 5
Email Notifications
Fail2ban can send email alerts when an IP has been banned. To receive email messages, you need to have an SMTP installed on your server and change the default action, which only bans the IP to %(action_mw)s
, as shown below:
action = %(action_mw)s
%(action_mw)s
will ban the offending IP and send an email with a whois report. If you want to include the relevant logs in the email set the action to %(action_mwl)s
.
You can also adjust the sending and receiving email addresses:
destemail = admin@linuxize.com
sender = root@linuxize.com
Fail2ban Jails
Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.
By default, on CentOS 8, no jails are enabled. To enable a jail, you need to add enabled = true
after the jail title. The following example shows how to enable the sshd
jail:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
The settings we discussed in the previous section, can be set per jail. Here is an example:
The filters are located in the /etc/fail2ban/filter.d
directory, stored in a file with the same name as the jail. If you have custom setup and experience with regular expressions, you can fine-tune the filters.
Each time the configuration file is modified, the Fail2ban service must be restarted for changes to take effect:
sudo systemctl restart fail2ban
Fail2ban Client
Fail2ban ships with a command-line tool named fail2ban-client
that you can use to interact with the Fail2ban service.
To view all available options of the fail2ban-client
command, invoke the it with the -h
option:
fail2ban-client -h
This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:
-
Check the status of a jail:
sudo fail2ban-client status sshd
-
Unban an IP:
sudo fail2ban-client set sshd unbanip 23.34.45.56
-
Ban an IP:
sudo fail2ban-client set sshd banip 23.34.45.56
Conclusion
We’ve shown you how to install and configure Fail2ban on CentOS 8. For more information about configuring Fail2ban, visit the official documentation .
If you have questions, feel free to leave a comment below.