Fail2Ban is a log parsing utility that scans log files of various processes and bans IP addresses that make too many password failures. When an attempted login is located, Fail2Ban will add a new rule to iptables to block the IP address of the attacker, either temporarily or permanently. It can also alert you via email for the same.
It is primarily focused on detecting intrusions via SSH but it can be configured to work with any service that uses log files.
Prerequisites
- A Fedora 33 or a CentOS 8 based server with a non-root user with sudo privileges.
- Install Nano editor because that’s what we will use.
$ sudo dnf install nano -y
Install Fail2Ban
To install Fail2Ban on CentOS 8, you need to install EPEL Yum repository first.
$ sudo dnf install epel-release
Fedora 33 ships with Fail2Ban.
Run the following command to install Fail2Ban on both Fedora 33 and CentOS 8.
$ sudo dnf install fail2ban
Once installed, we need to enable the service.
$ sudo systemctl enable fail2ban
Next, start the fail2ban service.
$ sudo systemctl start fail2ban
You can now check the status of the service to see if it is working correctly.
$ sudo systemctl status fail2ban
? fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-11-02 21:15:59 UTC; 5s ago
Docs: man:fail2ban(1)
Process: 19031 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 19032 (f2b/server)
Tasks: 3 (limit: 1125)
Memory: 11.0M
CPU: 96ms
CGroup: /system.slice/fail2ban.service
??19032 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start
Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Starting Fail2Ban Service...
Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Started Fail2Ban Service.
Nov 02 21:15:59 howtoforge-tutorial fail2ban-server[19032]: Server ready
Configure Fail2Ban
Fail2Ban service keeps its configuration files in the /etc/fail2ban
directory. You will come across a file jail.conf
in it. This file usually gets overridden during package upgrades so it shouldn’t be edited.
Instead, all configurations should be done in a new file which we will call jail.local
. Settings in these 2 files can be further overridden via files from the /etc/fail2ban/jail.d/
directory.
Configurations are applied in the following order:
/etc/fail2ban/jail.conf
etc/fail2ban/jail.d/*.conf
, Alphabetically/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local
, Alphabetically
jail.conf
contains a [DEFAULT]
section followed by sections for individual services. Any of these sections can be overridden by defining them in .local
files.
Configure jail.local
We will create a fresh jail.local
file.
$ sudo nano /etc/fail2ban/jail.local
Paste the following code in it.
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override backend=auto in /etc/fail2ban/jail.conf
backend = systemd
[sshd]
enabled = true
Press Ctrl + X to close the editor and press Y when prompted to save the file. This sets a new default bantime
for all services, changes the backend to systemd
and enables the `sshd
jail.
Restart Fail2ban to implement the new changes.
$ sudo systemctl restart fail2ban
We can confirm the newly applied settings using fail2ban-client
utility.
$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
We can also get the detailed status of each jail specifically in the following way.
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
More Settings
jail.conf
provides a lot more settings that can be customised using /jail.local
file. We will go over some settings next.
Whitelisting IP
You can whitelist/ignore IPs from being blocked by Fail2ban using the following code.
[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89
If you want to whitelist IPs only for certain jails, you can do so via fail2ban-client
.
$ sudo fail2ban-client set JAIL addignoreip 123.45.67.89
Replace JAIL
in the above command with the name of the jail, you want to edit the setting for.
Ban Time and Retry amount
There are 3 settings which can set the time and number of retries for a ban.
bantime
– is the length of time in seconds for which an IP is banned. To set a permanent ban, set this value to a negative number. The default value is 10 minutes or 600 seconds.
findtime
– is the length of the time between login attempts before a ban is set. This value is always a number of seconds. For example, if Fail2ban is set to ban an IP after 5 failed login attempts, those 5 attempts must occur within the set 10 minute bantime
limit.
maxretry
– is the number of retries from a single IP address before a ban is imposed. The default value is 3.
To customise these settings, paste the following lines in \etc\fail2ban\jail.local
file under the [DEFAULT]
section.
bantime = 3600
findtime = 300
maxretry = 4
Email Alerts
To send email alerts, you will need to install a Mail Transfer Agent(MTA) first. For our purpose, we will install sendmail
.
$ sudo dnf install sendmail
To receive the email, add the following code in \etc\fail2ban\jail.local
file under [DEFAULT]
section.
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
action = %(action_mw)s
destemail
refers to the Destination email Id which is the id where you want to receive the mails at, sendername
refers to the name of the sender so we are using Fail2Ban for it. mta
refers to the Mail Transfer Agent being used which is sendmail
here. If you are using Postfix
, then use the value mail
for the mta
variable.
action
refers to the default action that is taken place once an intrusion is detected. The default value is %(action_)s
which only bans the user. %(action_mw)s
will ban and send an email with a Whois report; while %(action_mwl)s
will ban and send an email with the Whois report along with information from the relevant log files. This can also be changed on a jail-specific basis.
Settings for Individual Jails
As we already know, [DEFAULT]
section applies for all Jails, it is time to look into some specific Jails and their settings.
SSHD Jail
We have already defined [sshd]
earlier in our jail.local
file. We can customise it a little more by the following code.
[sshd]
enabled = true
port = ssh
logpath = %(ssh_log)s
In this case, we are using a pre-defined variable ssh
for the port which is the default SSH port. If you are using a different SSH port, you should change it. logpath
refers to the location of the log file to monitor. %(ssh_log)s
uses a value defined in Fail2ban’s standard configuration file (/etc/fail2ban/paths-common.conf
).
Nginx Jail
Nginx has several Jails that can be used in Fail2Ban. For example, if a password-protected portion of your site gets attacked repeatedly, you can use a section [nginx-http-auth]
in jail.local
file for that.
[nginx-http-auth]
enabled = true
We can also add a section called [nginx-botsearch]
to stop requests to folders or locations that don’t exist.
[nginx-badbots]
enabled = true
There are other Nginx jails too but they don’t come pre-configured with Fail2Ban. They need to be created manually and most of them can be based on the Apache ones that Fail2Ban ships with.
Fail2Ban Filters and Failregexs
There is another setting in Fail2Ban configuration called filters. Filters decide whether a line in the log file indicates a failed authentication.
The filter value in the configuration file is a reference to a file located in the /etc/fail2ban/filter.d
directory with its .conf
extension removed.
You can see what kind of filters are available by checking the directory.
$ ls /etc/fail2ban/filter.d
You will see 2 log files for Nginx in it; nginx-badbots.conf
and nginx-http-auth.conf
.
These configuration files use Regular expressions(regex) to parse log files. These are called Failregexs. You can customise or create new filters by writing your own regular expressions. We won’t be covering these regular expressions in-depth because they are out of the scope of this tutorial.
Monitor Fail2Ban Logs and Firewall
You can check the status of Fail2Ban by using systemctl
as stated earlier.
$ sudo systemctl status fail2ban
To get a little more detail, you can use the journalctl
command.
$ sudo journalctl -b -u fail2ban
You can also use fail2ban-client
to query the status of fail2ban-server
or and individual jail.
$ sudo fail2ban-client status
$ sudo fail2ban-client status jail_name
You can also query the Fail2ban’s log file.
$ sudo tail -F /var/log/fail2ban.log
You can list the current rules configured for iptables.
$ sudo iptables -L
You can also list the iptables rules in a format which reflects the commands necessary to enable those rules.
$ sudo iptables -S
Conclusion
This concludes our tutorial on installing and configuring Fail2Ban on a Fedora 33 or CentOS 8 based server. If you have any questions, do post them in the comments below.
Đăng ký liền tay Nhận Ngay Bài Mới
Subscribe ngay
Cám ơn bạn đã đăng ký !
Lỗi đăng ký !
Add Comment