How to install and configure Fail2Ban on CentOS 8 and Fedora 33

Fail2Ban is a log parsing utility that scans log files of various processes and bans IP addresses that make too many password failures. When an attempted login is located, Fail2Ban will add a new rule to iptables to block the IP address of the attacker, either temporarily or permanently. It can also alert you via email for the same.

It is primarily focused on detecting intrusions via SSH but it can be configured to work with any service that uses log files.

Prerequisites

1. A Fedora 33 or a CentOS 8 based server with a non-root user with sudo privileges.
2. Install Nano editor because that’s what we will use.

   $ sudo dnf install nano -y
   

Install Fail2Ban

To install Fail2Ban on CentOS 8, you need to install EPEL Yum repository first.

$ sudo dnf install epel-release

Fedora 33 ships with Fail2Ban.

Run the following command to install Fail2Ban on both Fedora 33 and CentOS 8.

$ sudo dnf install fail2ban

Once installed, we need to enable the service.

$ sudo systemctl enable fail2ban

Next, start the fail2ban service.

$ sudo systemctl start fail2ban

You can now check the status of the service to see if it is working correctly.

$ sudo systemctl status fail2ban
? fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2020-11-02 21:15:59 UTC; 5s ago
       Docs: man:fail2ban(1)
    Process: 19031 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 19032 (f2b/server)
      Tasks: 3 (limit: 1125)
     Memory: 11.0M
        CPU: 96ms
     CGroup: /system.slice/fail2ban.service
             ??19032 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start

Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Starting Fail2Ban Service...
Nov 02 21:15:59 howtoforge-tutorial systemd[1]: Started Fail2Ban Service.
Nov 02 21:15:59 howtoforge-tutorial fail2ban-server[19032]: Server ready

Configure Fail2Ban

Fail2Ban service keeps its configuration files in the /etc/fail2ban directory. You will come across a file jail.conf in it. This file usually gets overridden during package upgrades so it shouldn’t be edited.

Instead, all configurations should be done in a new file which we will call jail.local. Settings in these 2 files can be further overridden via files from the /etc/fail2ban/jail.d/ directory.

Configurations are applied in the following order:

1. /etc/fail2ban/jail.conf
2. etc/fail2ban/jail.d/*.conf, Alphabetically
3. /etc/fail2ban/jail.local
4. /etc/fail2ban/jail.d/*.local, Alphabetically

jail.conf contains a [DEFAULT] section followed by sections for individual services. Any of these sections can be overridden by defining them in .local files.

Configure jail.local

We will create a fresh jail.local file.

$ sudo nano /etc/fail2ban/jail.local

Paste the following code in it.

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override backend=auto in /etc/fail2ban/jail.conf
backend = systemd

[sshd]
enabled = true

Press Ctrl + X to close the editor and press Y when prompted to save the file. This sets a new default bantime for all services, changes the backend to systemd and enables the `sshd jail.

Restart Fail2ban to implement the new changes.

$ sudo systemctl restart fail2ban

We can confirm the newly applied settings using fail2ban-client utility.

$ sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

We can also get the detailed status of each jail specifically in the following way.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

More Settings

jail.conf provides a lot more settings that can be customised using /jail.local file. We will go over some settings next.

Whitelisting IP

You can whitelist/ignore IPs from being blocked by Fail2ban using the following code.

[DEFAULT]
ignoreip = 127.0.0.1/8 123.45.67.89

If you want to whitelist IPs only for certain jails, you can do so via fail2ban-client.

$ sudo fail2ban-client set JAIL addignoreip 123.45.67.89

Replace JAIL in the above command with the name of the jail, you want to edit the setting for.

Ban Time and Retry amount

There are 3 settings which can set the time and number of retries for a ban.

bantime – is the length of time in seconds for which an IP is banned. To set a permanent ban, set this value to a negative number. The default value is 10 minutes or 600 seconds.

findtime – is the length of the time between login attempts before a ban is set. This value is always a number of seconds. For example, if Fail2ban is set to ban an IP after 5 failed login attempts, those 5 attempts must occur within the set 10 minute bantime limit.

maxretry – is the number of retries from a single IP address before a ban is imposed. The default value is 3.

To customise these settings, paste the following lines in \etc\fail2ban\jail.local file under the [DEFAULT] section.

bantime = 3600
findtime = 300
maxretry = 4

Email Alerts

To send email alerts, you will need to install a Mail Transfer Agent(MTA) first. For our purpose, we will install sendmail.

$ sudo dnf install sendmail

To receive the email, add the following code in \etc\fail2ban\jail.local file under [DEFAULT] section.

destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
action = %(action_mw)s

destemail refers to the Destination email Id which is the id where you want to receive the mails at, sendername refers to the name of the sender so we are using Fail2Ban for it. mta refers to the Mail Transfer Agent being used which is sendmail here. If you are using Postfix, then use the value mail for the mta variable.

action refers to the default action that is taken place once an intrusion is detected. The default value is %(action_)s which only bans the user. %(action_mw)s will ban and send an email with a Whois report; while %(action_mwl)s will ban and send an email with the Whois report along with information from the relevant log files. This can also be changed on a jail-specific basis.

Settings for Individual Jails

As we already know, [DEFAULT] section applies for all Jails, it is time to look into some specific Jails and their settings.

SSHD Jail

We have already defined [sshd] earlier in our jail.local file. We can customise it a little more by the following code.

[sshd]

enabled = true
port = ssh
logpath = %(ssh_log)s

In this case, we are using a pre-defined variable ssh for the port which is the default SSH port. If you are using a different SSH port, you should change it. logpath refers to the location of the log file to monitor. %(ssh_log)s uses a value defined in Fail2ban’s standard configuration file (/etc/fail2ban/paths-common.conf).

Nginx Jail

Nginx has several Jails that can be used in Fail2Ban. For example, if a password-protected portion of your site gets attacked repeatedly, you can use a section [nginx-http-auth] in jail.local file for that.

[nginx-http-auth]
enabled = true

We can also add a section called [nginx-botsearch] to stop requests to folders or locations that don’t exist.

[nginx-badbots]
enabled  = true

There are other Nginx jails too but they don’t come pre-configured with Fail2Ban. They need to be created manually and most of them can be based on the Apache ones that Fail2Ban ships with.

Fail2Ban Filters and Failregexs

There is another setting in Fail2Ban configuration called filters. Filters decide whether a line in the log file indicates a failed authentication.

The filter value in the configuration file is a reference to a file located in the /etc/fail2ban/filter.d directory with its .conf extension removed.

You can see what kind of filters are available by checking the directory.

$ ls /etc/fail2ban/filter.d

You will see 2 log files for Nginx in it; nginx-badbots.conf and nginx-http-auth.conf.

These configuration files use Regular expressions(regex) to parse log files. These are called Failregexs. You can customise or create new filters by writing your own regular expressions. We won’t be covering these regular expressions in-depth because they are out of the scope of this tutorial.

Monitor Fail2Ban Logs and Firewall

You can check the status of Fail2Ban by using systemctl as stated earlier.

$ sudo systemctl status fail2ban

To get a little more detail, you can use the journalctl command.

$ sudo journalctl -b -u fail2ban

You can also use fail2ban-client to query the status of fail2ban-server or and individual jail.

$ sudo fail2ban-client status
$ sudo fail2ban-client status jail_name

You can also query the Fail2ban’s log file.

$ sudo tail -F /var/log/fail2ban.log

You can list the current rules configured for iptables.

$ sudo iptables -L

You can also list the iptables rules in a format which reflects the commands necessary to enable those rules.

$ sudo iptables -S

Conclusion

This concludes our tutorial on installing and configuring Fail2Ban on a Fedora 33 or CentOS 8 based server. If you have any questions, do post them in the comments below.