Fail2ban is a free and open-source Intrusion Prevention System written in Python. It is used to protect your system against brute-force attacks. It continuously monitors the SSH (and other) log files for authentication attempts, after a specified number of incorrect password attempts, the client’s IP address is banned by Fail2Ban. It can be used to secure several services including, SSH, vsftpd, Apache, and Webmin.
In this tutorial, I will show you how to install Fail2Ban firewall on Alma Linux 8.
Prerequisites
- A server running Alma Linux 8.
- A root password is configured on the server.
Verify Firewalld Installation
By default, Firewalld package comes pre-installed on Alma Linux 8. First, you will need to check whether it is running or not. You can check it with the following command:
systemctl status firewalld
If firewalld is not running, you will get the following output:
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Now, start the firewalld service with the following command:
systemctl start firewalld
You can check the status of the firewalld using the following command:
systemctl status firewalld
You should see the following output:
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2022-02-19 08:57:14 UTC; 40s ago
Docs: man:firewalld(1)
Main PID: 7214 (firewalld)
Tasks: 2 (limit: 23696)
Memory: 27.9M
CGroup: /system.slice/firewalld.service
??7214 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Feb 19 08:57:14 linux systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 19 08:57:14 linux systemd[1]: Started firewalld - dynamic firewall daemon.
Now, list all services configured by firewalld using the following command:
firewall-cmd --list-all
You should see the following output:
public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Install Fail2Ban
By default, Fail2Ban package is not available in the Alma Linux default repo. So you will need to install it from the EPEL repo. You can install the EPEL repo with the following command:
dnf install epel-release -y
Once the EPEL repo is installed, you can install the Fail2Ban firewall with the following command:
dnf install fail2ban fail2ban-firewalld -y
Once the installation is complete, start and enable the Fail2Ban service with the following command:
systemctl start fail2ban
systemctl enable fail2ban
You can verify the status of the fail2ban service by running the command:
systemctl status fail2ban
You should see the following output:
? fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2022-02-19 08:58:34 UTC; 6s ago
Docs: man:fail2ban(1)
Process: 7838 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 7840 (fail2ban-server)
Tasks: 3 (limit: 23696)
Memory: 10.8M
CGroup: /system.slice/fail2ban.service
??7840 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Feb 19 08:58:34 linux systemd[1]: Starting Fail2Ban Service...
Feb 19 08:58:34 linux systemd[1]: Started Fail2Ban Service.
Feb 19 08:58:35 linux fail2ban-server[7840]: Server ready
Configure Fail2Ban
Fail2Ban main configuration file is located at /etc/fail2ban/jail.conf. It is a good idea to create a copy of the main configuration file. You can create it with the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
By default, Fail2Ban uses Iptables firewall. To enable the firewalld support, run the following command:
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
Next, restart the Fail2Ban service to apply the changes:
systemctl restart fail2ban
Secure SSH with Fail2Ban
By default, Fail2Ban is not configured to block remote IPs. You will need to configure the Fail2Ban jail configuration file for each service that you want to protect.
To protect the SSH service, create a jail configuration file for SSH with the following command:
nano /etc/fail2ban/jail.d/sshd.local
Add the following lines:
# This configuration will block the remote host for 2 hours after 3 failed SSH login attempts. [sshd] enabled = true bantime = 2h maxretry = 3
Save and close the file when you are finished then restart the SSH service to apply the changes:
systemctl restart fail2ban
You can now verify the jail configuration with the following command:
fail2ban-client status
You will get the configured jail in the following output:
Status |- Number of jail: 1 `- Jail list: sshd
To check the SSH jail for any banned IP, run the following command:
fail2ban-client status sshd
You will get all banned IP list in the following output:
Status for the jail: sshd |- Filter | |- Currently failed: 6 | |- Total failed: 15 | `- Journal matches: _SYSTEMD_UNIT=sshd.service _COMM=sshd `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: 96.9.67.48 43.154.142.8
If you want to unban the IP address manually, run the following command:
fail2ban-client unban remote-ip-address
Conclusion
In the above guide, we explained how to install Fail2Ban on Alma Linux 8. We also explained how to use Fail2Ban to secure the SSH service. You can now implement Fail2Ban in the production environment to protect your system from brute-force attacks.
