Fail2ban is an application that is used for monitoring system log files for brute force login attempts. It’s an intrusion prevention system that detects unauthorized access attempts and prevents the breach by blacklisting the attackers’ IP address. Fail2ban works quietly in the background scanning for security breach attempts. In this guide, you will learn how to install fail2ban on CentOS 7.
Before getting started, ensure that you have an instance on CentOS 7. You can get started with Cloudcone’s high-performance and managed cloud server at only $ 3.71.
To start off, ensure that your system has
epel repository (Extra Packages For Enterprise Linux) installed. IF not installed, install
epel by running the command below
# yum install epel-release
Next, install fail2ban using the command below
# yum install fail2ban fail2ban-systemd
If SELinux is installed, update the policies using the command below
# yum update -y selinux-policy*
Configuring settings for Fail2ban
With the successful installation of fail2ban, it’s time now to make a few modifications to its configuration file. The default settings are contained in the
fail2ban.conf configuration file. However, we are going to make the modifications in a separate file
fail2ban.conf which will override the fail2ban.conf file. To achieve this, we are going to copy the file and rename it
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Now, using your favorite text editor, open the
fail2ban.local as shown. I’m using vim editor in this example
Here’s a sample section of the configuration file
Let’s take a look at a few parameters
Ignoreip: Selects the list of IP addresses that will not be banned.
Ban: Determines the duration in seconds during which a host is banned after a number of failed attempts.
Findtime: This is the parameter used for checking if a host is banned or not. When a host generates maxretry in its last findtime, it is banned.
Maxretry: This parameter sets the limit for the number of retries by a host. If the limit is exceeded, the host is banned.
Creating a Jail file to monitor SSH logins
Since attackers mostly target SSH port 22 when trying to infiltrate systems, we will add a
ssh.local jail file
Append the following content
[sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
enabled is set to
true toprovide protection.
maxtry denotes the maximum number of failed attempts before the IP of the attacker is blocked
bantime is the duration in seconds during which the IP remains blocked
Running fail2ban service
Before running the service , ensure that your furewall is up and running. You can enable and start firewalld using the command
systemctl enable firewalld systemctl start firewalld
Next , execute the following commands to enable and start fail2ban service
systemctl enable fail2ban systemctl start fail2ban
Tracking Failed login attempts
To check failed root login attempts use the command below
cat /var/log/secure | grep 'Failed password'
The output will look something as shown below
To get the list of banned IP addresses run
iptables -L -n
To check the status of jail bans run
And that’s how you install Fail2ban on CentOS 7. Give it a try and let us know how it went.