All servers that are exposed to the web are in danger of malware attacks. For instance, if you’ve got software connected to a public network, attackers can use brute-force attempts to realize access to the appliance.
Fail2ban is an opensource tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the service logs for malicious activity. It is used for regular expressions to scan the log files. All the entries matching the patterns are counted, and when there number reaches a particular predefined threshold, Fail2ban bans the offending IP for a selected length of your time. The default system firewall is employed as a ban action. When the ban expires, the IP address is far away from the ban list.
Fail2ban helps you by creating rules that, after a predetermined number of failed login attempts, allow you to dam the IP address you attempted to access by modifying the Iptables firewall configuration.
In this guide, you’ll find out how to put in the Fail2ban software and automate this process to dam brute force attacks through Iptables, preventing unauthorized intrusion attempts to your CentOS 8 server.
How to install Fail2Ban on CentOS 8
The procedure to line up and configure Fail2ban to secure your server is as follows:
● Log in to your CentOS 8 server using ssh
● Enable and install the EPEL repository on CentOS 8, run: sudo yum install epel-release
● Install Fail2Ban, run: sudo yum install fail2ban
● Configure Fail2ban
● Enable and begin Fail2ban service: sudo systemctl enable fail2ban && sudo systemctl start fail2ban
Or
Installing Fail2ban on CentOS/RHEL 8
The fail2ban package isn’t within the official repositories, but it’s available within the EPEL repository.
After logging into your system, access a command-line interface, then enable the EPEL repository on your system as shown.
# dnf install epel-release
OR
# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Afterward, install the Fail2ban package by running the subsequent command.
# dnf install fail2ban
The fail2ban configuration files are located within the /etc/fail2ban/ directory and filters are stored within the /etc/fail2ban/filter.d/ directory (the filter file for sshd is /etc/fail2ban/filter.d/sshd.conf).
The global configuration file for the fail2ban server is /etc/fail2ban/jail.conf; however, it’s not recommended to switch this file directly because it will probably be overwritten or improved just in case of a package upgrade within the future.
As an alternative, it’s recommended to make and add your configurations during a jail.local file or separate .conf files under the /etc/fail2ban/jail.d/ directory. Note those configuration parameters set in jail.local will override whatever is defined in jail.conf.
For this text, we’ll create a separate file called jail.local within the /etc/fail2ban/ directory as shown.
# vi /etc/fail2ban/jail.local
Once the file is open, please copy and paste the subsequent configuration into it. The [DEFAULT] section contains global options, and [sshd] contains parameters for the sshd jail.
[DEFAULT]
ignoreip = 192.168.56.2/24
bantime = 21600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
[sshd]
enabled = true
Let’s briefly explain the choices within the above configuration:
● ignoreip: specifies the list of IP addresses or hostnames not to ban.
● bantime: specified the seconds that a number is banned for (i.e., effective ban duration).
● maxretry: specifies the number of failures before a number gets banned.
● Find time: fail2ban will ban a number if it’s generated “maxretry” during the last “findtime” seconds.
● Inaction: banning action.
● Backend: specifies the backend wants to get log file modification.
● Therefore, the above configuration means if an IP has failed three times within the last 5 minutes, ban it for six hours, and ignore the IP address 192.168.56.2.
Next, start and enable the fail2ban service and check if it’s up and running using the subsequent systemctl command.
# systemctl start fail2ban
# systemctl enable fail2ban
# systemctl status fail2ban
Start Fail2ban Service
Monitoring Failed and Banned IP Address Using fail2ban-client
After configuring fail2ban to secure sshd, you’ll monitor failed and banned IP addresses using the fail2ban-client. To look at the present status of the fail2ban server, run the subsequent command.
# fail2ban-client status
Check Fail2ban Jail Status
Check Fail2ban Jail Status
To monitor the sshd jail, run.
# fail2ban-client status sshd
Monitor SSH Failed Logins with Fail2ban
Monitor SSH Failed Logins with Fail2ban
Run the subsequent command to unban an IP address in fail2ban (in all jails and databases).
# fail2ban-client unban 192.168.56.1
For more information on fail2ban, read the subsequent man pages.
# man jail.conf
# man fail2ban-client
In this, you’ve learned how to install and configure Fail2ban on CentOS 8 to stop unauthorized intrusion attempts to your server because of the convenience of the tool’s configuration.