CentOS

How to Install Fail2ban on CentOS 8

What is Fail2ban?

Fail2ban is an open-source security tool for protecting your servers against unauthorized access and brute force attack.

It was written with Python, works by scanning log files for brute force login attempts in real-time and then block the source IP address using the Linux firewall.

Fail2ban was designed to protect various services, including the SSH, FTP, OpenVPN, Apache, phpMyAdmin, etc.

What we will do?

In this tutorial, you will learn how to install and configure fail2ban on CentOS 8 Server. You will learn how to secure the SSH and FTP services using the fail2ban and set up fail2ban with firewalld.

Prerequisites

For this tutorial, make sure you have got a CentOS 8 server with root privileges.

Below is the tutorial about the CentOS 8 server installation.

Install CentOS 8 Server

Before going any further, log in to your CentOS server and type the sudo command to get the root privileges on your system.

sudo su

Step 1 – Install Fail2ban on CentOS 8

First, you will install fail2ban packages to the CentOS 8 server. And before that, you must add the EPEL repository to your system.

Add the EPEL repository to the CentOS 8 system using the dnf command below.

dnf install epel-release

After that, install the fail2ban with the following command.

dnf install fail2ban

Once the installation is complete, start the fail2ban service and add it to the system boot.

systemctl start fail2ban
systemctl enable fail2ban

As a result, you’ve successfully installed the fail2ban to the CentOS 8 system.

Install fail2ban on CentOS 8 Server

Step 2 – Configure Fail2ban

The configuration directory of fail2ban located at the /etc/fail2ban directory. To configure the fail2ban, you need to copy the default configuration jail.conf to jail.local.

Copy the default fail2ban configuration jail.conf to jail.local using the cp command below.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit the configuration ‘jail.local’ using vim editor.

vim /etc/fail2ban/jail.local

– Basic Configuration

On the [DEFAULT] section, change everything as you need as below.

[DEFAULT]

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 10.5.5.1/24

# "bantime" is the number of seconds that a host is banned.
bantime = 60m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 5m

# "maxretry" is the number of failures before a host gets banned.
maxretry = 5

# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd

Save and close.

Details configurations:

  • ignoreip – Type your IP address, CIDR masks, or DNS hosts that will not be ban by the Fail2ban.
  • bantime – Time that hosts will be banned by Fail2ban from accessing the server.
  • findtime – This option determines which hosts will be ban or not. If the host generated ‘maxretry’ in the last of ‘findtime’, the IP will be banned.
  • maxretry – max number of failures before the IP address gets banned.
  • backend – specific the backend services, the CentOS 8 used a systemd as the backend.

– Create Jail for Securing SSH Service

After setting up the default global configuration, we will create a new jail for securing the SSH services.

Go to the /etc/fail2ban/jail.d directory and create a new jail sshd.conf.

cd /etc/fail2ban/jail.d/
vim sshd.conf

Paste the following configuration into it.

[sshd]
enabled = true
port = ssh
action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Save and close.

As a result, you’ve created a new Fail2ban jail for securing SSH service from Brute-Force Attack.

– Create Jail for Securing FTP Service

Now create a new jail for securing the vsftd service.

On the /etc/fail2ban/jail.d directory, create a new configuration vsftpd.conf.

vim vsftpd.conf

Paste the following configuration into it.

[vsftpd]
enabled = true
action = firewallcmd-ipset
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 86400

Save and close.

As a result, you’ve created a new Fail2ban jail for securing the vsftpd service.

– Restart Fail2ban

Now restart the fail2ban service using the command below.

systemctl restart fail2ban

Configure fail2ban

As a result, the jail for SSH and FTP services has been applied to fail2ban. And every failed login that reaches the ‘maxretry‘ on the ‘findtime‘ will be banned by the fail2ban.

Step 3 – Fail2Ban-client Command

In this step, you will learn how to check the fail2ban status using the fail2ban-client command line.

With the fail2ban-client command, you can activate jails, check banned IP address, unban an IP address, etc.

– Check Activated Jails

To check of activated jails on fail2ban, run the command below.

fail2ban-client status

As a result, you get the sshd and vsftpd jails activated on your installation.

Fail2ban check enabled jails

– Check Banned IP on Specific Jail

To check banned IP addresses on the specific jail, you can use the command below.

fail2ban-client status [JAIL-NAME]

An example, checking the list of IP addresses on the sshd jail.

fail2ban-client status sshd

As a result, you will get the list of IP addressed that have been banned by fail2ban on the sshd jail.

Check fail2ban jail status and banned IP addresses

– Unban IP Fail2Ban

To unban an IP address, use the following command.

fail2ban-client set [JAIL-NAME] unbanip [IP-ADDRESS]

Unban an IP address from the sshd jail.

fail2ban-client set sshd unbanip 192.168.1.x

Remove banned IP addresses from fail2ban

As a result, you’ve successfully unbanned the IP address from the sshd jail.

Step 4 – Other Useful Command for Checking Fail2Ban

Below is some other useful command for checking the fail2ban on the CentOS server.

– Checking Firewalld Rules

Check a generated firewall rules by fail2ban using the following command.

firewall-cmd --direct --get-all-rules

Below is the result after creating two jails for SSH and vsftpd services.

Firewalld check fail2ban generatedrules

As a result, you get two firewall rules generated by fail2ban.

– Checking Fail2ban Log

By default, the fail2ban service will log every information about its services and activities to the /var/log/fail2ban.log.

Check the fail2ban log using the tail command below.

tail -f /var/log/fail2ban.log

As a result, you will get pieces of information about fail2ban activities..=

check log fail2ban

Finally, you’ve successfully installed the fail2ban on the CentOS 8 system.

And you’ve created two jails for securing SSH and vsftpd services, and you’ve learned the fail2ban-client basic command.

Also, you’ve learned other commands for checking firewall rules generated by the fail2ban and checking the fail2ban log.

2 Comments

  1. Thanks, man, finally a tutorial crafted (and obviously tested) for CentOS 8 and not copied/pasted from older versions. Works like a charm. Looking forward reading more high quality tutorials. Newsletter subscribed, that was a no-brainer. Keep up the good work!

  2. Just an FYI, but I migrated the fail2ban package to firewalld rich rules instead of ipset as CentOS 8 uses nftables by default instead of iptables/ipset.

    # cat /etc/fail2ban/jail.d/00-firewalld.conf
    # This file is part of the fail2ban-firewalld package to configure the use of
    # the firewalld actions as the default actions. You can remove this package
    # (along with the empty fail2ban meta-package) if you do not use firewalld
    [DEFAULT]
    port = 0-65535
    banaction = firewallcmd-rich-rules[actiontype=]
    banaction_allports = firewallcmd-rich-rules[actiontype=]

    Unless you need to override the default banaction, it’s not necessary to set it within every jail.

Write A Comment