Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.
CentOS 7
- Ensure your system is up to date and install the EPEL repository:
yum update && yum install epel-release - Install Fail2Ban:
yum install fail2ban - Install Sendmail if you additionally would like email support. Sendmail is not required to use Fail2Ban.:
yum install sendmail - Start and enable Fail2ban and, if needed, Sendmail:
systemctl start fail2ban systemctl enable fail2ban systemctl start sendmail systemctl enable sendmailNoteShould you encounter the error that there is “no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock”, create the directory manually:mkdir /var/run/fail2ban
Debian
- Ensure your system is up to date:
apt-get update && apt-get upgrade -y - Install Fail2ban:
apt-get install fail2banThe service will automatically start. - (Optional) If you would like email support, install Sendmail:
apt-get install sendmail-bin sendmailNoteThe current version of Sendmail in Debian Jessie has an upstream bug which causes the following errors when installingsendmail-bin. The installation will hang for a minute, but then complete.Creating /etc/mail/sendmail.cf... ERROR: FEATURE() should be before MAILER() MAILER('local') must appear after FEATURE('always_add_domain') ERROR: FEATURE() should be before MAILER() MAILER('local') must appear after FEATURE('allmasquerade')
Fedora
- Update your system:
dnf update - Install Fail2ban:
dnf install fail2ban - (Optional) If you would like email support, install Sendmail:
dnf install sendmail - Start and enable Fail2ban and, if needed, Sendmail:
systemctl start fail2ban systemctl enable fail2ban systemctl start sendmail systemctl enable sendmail
Ubuntu
- Ensure your system is up to date:
apt-get update && apt-get upgrade -y - Install Fail2ban:
apt-get install fail2banThe service will automatically start. - (Optional) If you would like email support, install Sendmail:
apt-get install sendmail - Allow SSH access through UFW and then enable the firewall:
ufw allow sshufw enable
Configure Fail2ban
Fail2ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.
Configure fail2ban.local
fail2ban.confcontains the default configuration profile. The default settings will give you a reasonable working setup. If you want to make any changes, it’s best to do it in a separate file,fail2ban.local, which overridesfail2ban.conf. Rename a copyfail2ban.conftofail2ban.local.
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local2. From here, you can opt to edit the definitions in fail2ban.local to match your desired configuration. The values that can be changed are:
loglevel: The level of detail that Fail2ban’s logs provide can be set to 1 (error), 2 (warn), 3 (info), or 4 (debug).logtarget: Logs actions into a specific file. The default value of/var/log/fail2ban.logputs all logging into the defined file. Alternately, you can change the value to:STDOUT: output any dataSTDERR: output any errorsSYSLOG: message-based loggingFILE: output to a file
socket: The location of the socket file.pidfile: The location of the PID file.
Configure jail.local Settings
- The
jail.conffile will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, create ajail.localfor editing:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local/etc/fail2ban/jail.local
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
. . .
backend = systemd No jails are enabled by default in CentOS 7. For example, to enable the SSH daemon jail, uncomment the following lines in jail.local:
/etc/fail2ban/jail.local
[sshd]
enabled = trueWhitelist IP
To ignore specific IPs, add them to the ignoreip line. By default, this command will not ban the localhost. If you work from a single IP address often, it may be beneficial to add it to the ignore list:
/etc/fail2ban/jail.local
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 123.45.67.89 If you wish to whitelist IPs only for certain jails, this can be done with the fail2ban-client command. Replace JAIL with the name of your jail, and 123.45.67.89 with the IP you wish to whitelist.
fail2ban-client set JAIL addignoreip 123.45.67.89Ban Time and Retry Amount
Set bantime, findtime, and maxretry to define the circumstances and the length of time of a ban:
/etc/fail2ban/jail.local# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3bantime: The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent. The default value of600is set to ban an IP for a 10-minute duration.findtime: The length of time between login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after five (5) failed log-in attempts, those 5 attempts must occur within the set 10-minutefindtimelimit. Thefindtimevalue should be a set number of seconds.maxretry: How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3.
Other Jail Configuration
Beyond the basic settings address above, jail.local also contains various jail configurations for a number of common services, including SSH, and iptables. By default, only SSH is enabled and the action is to ban the offending host/IP address by modifying the iptables firewall rules.
An average jail configuration will resemble the following:
/etc/fail2ban/jail.local
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6banaction: Determines the action to use when the threshold is reached. If you have configured the firewall to use firewalld set the value tofirewallcmd-ipsetand if you have configured the firewall to use UFW set the value toufw.banaction_allports: Blocks a remote IP in every port. If you have configured the firewall to use firewalld set the value tofirewallcmd-ipset.enabled: Determines whether or not the filter is turned on.port: The port Fail2ban should be referencing in regards to the service. If using the default port, then the service name can be placed here. If using a non-traditional port, this should be the port number. For example, if you moved your SSH port to 3456, you would replacesshwith3456.filter: The name of the file located in/etc/fail2ban/filter.dthat contains the failregex information used to parse log files appropriately. The.confsuffix need not be included.logpath: Gives the location of the service’s logs.maxretry: Will override the globalmaxretryfor the defined service.findtimeandbantimecan also be added.action: This can be added as an additional setting, if the default action is not suitable for the jail. Additional actions can be found in theaction.dfolder.
