Fail2ban, it is a security based application for your Unix based server. The fail2ban service is commonly used to protect your SSH and FTP from unauthorized connection. Fail2ban is a daemon that uses python scripts to parse log files for system intrusion attempts and adds custom iptables rules defined by you in the configuration file to ban access to certain ip addresses.
This howto will help you install and configure Fail2ban on Fedora, Centos, or RHEL.
Installing Fail2Ban in RHEL, CentOS and Fedora
To install Fail2Ban required to enable EPEL repository. After enabled EPEL repo install fail2ban using yum command:
# yum install fail2ban
Basic setups for fail2ban configurations
Open up the the new fail2ban configuration file:
# nano /etc/fail2ban/jail.conf
You can see the default section below.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from your VPS. Including your address will guarantee that you do not accidentally ban yourself from your own virtual private server.
The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes—you may raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.
Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
How to protect SSH/SFTP using fail2ban
After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5
# service fail2ban restart
Protect your FTP server by using fail2ban
[proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6
# service fail2ban restart
Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word “false”.
The filter, set by default to sshd, refers to the config file containing the rules that fail2banuses to find matches. The name is a shortened version of the file extension. For example, sshd refers to the /etc/fail2ban/filter.d/sshd.conf.
Action describes the steps that fail2ban will take to ban a matching IP address. Just like the filter entry, each action refers to a file within the action.d directory. The default ban action, “iptables” can be found at /etc/fail2ban/action.d/iptables.conf .
In the “iptables” details, you can customize fail2ban further. For example, if you are using a non-standard port, you can change the port number within the brackets to match, making the line look more like this:
Restarting Fail2Ban Service
Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on # service fail2ban start Starting fail2ban: [ OK ]
Verifying Fail2Ban iptables rules
To verify fail2ban iptales rule enter following command:
# iptables -L
Example output:
Message from syslogd@lintut at Feb 20 21:57:53 ...
fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.80
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports 5901:5903,6001:6003
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all — 192.168.1.80 anywhere
RETURN all — anywhere anywhere
Watch Failed SSH login attempts
To see the ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' | sort | uniq -c
Feb 20 23:57:53 lintut sshd[29518]: Failed password for root from 192.168.1.80 port 1302 ssh2 Feb 20 23:57:53 lintut sshd[29518]: Failed password for root from 192.168.1.80 port 57599 ssh2 Feb 20 23:57:53 lintut sshd[29518]: Failed password for root from 192.168.1.80 port 57599 ssh2 Feb 20 23:57:53 lintut sshd[29518]: Failed password for root from 192.168.1.80 port 57599 ssh2
Remove IP Address from Fail2Ban
To remove the banned IP address from the fail2ban iptable rules. Run the following command.
# iptables -D fail2ban-ssh 1
For any additional information, please visit Fail2ban official page.