Install and Configure Fail2ban on CentOS 8 | RHEL 8

In this guide we shall discuss how to install and configure Fail2ban on Centos 8 | RHEL 8. Fail2ban is an open-source intrusion detection and prevention tool that scans for malicious IP addresses in the access logs which show signs of multiple failed password login attempts. The tool then bans the IPs by updating firewall rules to reject the IP addresses.

Fail2ban can be used to protect different services on a Linux system including sshd, wordpress access, postfix etc.

Install Fail2ban on CentOS 8 | RHEL 8

You have to install EPEL repository on your CentOS/RHEL 8 system to get the Fail2ban package.

sudo dnf -y install epel-release

Install Fail2ban package:

sudo dnf -y install fail2ban

Start and enable Fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configure Fail2ban on CentOS 8 | RHEL 8

After a successful installation, the next step is to configure fail2ban.

Fail2ban configuration files reside in the /etc/fail2ban/ directory.

The main configuration file is /etc/fail2ban/jail.conf. The filters are stored in /etc/fail2ban/filter.d/ directory.

It is not recommended to make any changes to the jail.conf file as the configuration will be overwritten by those in files in *.local.

So the best practice is creating a separate file, jail.local that will contain our configurations.

Let’s configure some defaults in the /etc/fail2ban/jail.local

sudo vi /etc/fail2ban/jail.local

Add the following parameters:

[DEFAULT]
bantime  = 21600
findtime  = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
banaction_allports = iptables-allports

A brief description of the above parameters:

• Bantime – The amount of time the IP will be banned in seconds
• maxretry – the number of retries before a host is banned
• Findtime – fail2ban bans the host if it has generated “maxretry” in the last “findtime” seconds.
• banaction – the type of ban action to be implemented
• ignoreip – You can specify the IP addresses that will be ignored by fail2ban
• backend – the backend used to get log file modification.
• Banaction_allports – Fail2ban blocks the remote IP on every port

Configuring Jails to secure SSH, Postfix and Dovecot

In this section we shall look at how to configure Fail2ban jails for SSH, Postfix and dovecot.

In the /etc/fail2ban/jail.local file, add parameters for the services you wish to enable.

For SSH :

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log

For Postfix :

[postfix]
enabled  = true
port     = smtp,465,submission

Dovecot:

[dovecot]
enabled = true
port    = pop3,pop3s,imap,imaps,submission,465,sieve

Postfix-SASL

[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s

In the above configuration, the following attributes have been used:

• Enabled – can be set to true or false to enable/disable the filter.
• Port – the port on which the service is running. You can use the names of the service if the ports being used are the default ones, otherwise you need to explicitly specify the port number
• Filter – The name of the filter file located in /etc/fail2ban/filter.d/ directory which contains the fileregex information used to parse logs.
• Logpath – The path to the service’s logs

Using Fail2ban client

Fail2ban-client is the command line tool that is used to run Fail2ban from the shell.

The general usage is fail2ban-client

Below is a list of Fail2ban-client commands:

• start: used to start fail2ban server and jails
• reload: used to reload Fail2ban configuration
• stop: stops the server
• status: Used to check the status of the server and enable jails
• status JAIL : Shows the status of the jails and the currently banned IPs

Examples:

1. Fail2ban-client status

$ sudo fail2ban-client status
Status
|- Number of jail:	6
`- Jail list:	dovecot, postfix, postfix-sasl, proftpd, sshd, webmin-auth

2. Fail2ban-client status sshd

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	22
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service   _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	4
   `- Banned IP list:	

3. Banned IPs:

To remove an IP from a jail, you can do so by the following command:

$ sudo fail2ban-client set  unbanip 

Example:

$ sudo fail2ban-client set sshd unbanip 192.168.100.12

In the above example, we have removed IP 192.168.100.12 from sshd jail.

Conclusion

We have gone through a guide on how to setup Fail2ban on CentOS/RHEL 8. The tool is useful for intrusion detection and prevention of attacks such as brute force on a RHEL/CentOS 8 system.

Check out other related articles from our website;

Automate Penetration Testing Operations with Infection Monkey

Faraday – Penetration Testing IDE & Vulnerability Management Platform