Did You Know?
Donate to TecMint

We are pleased to announce our new TecMint Q/A section to submit your Linux questions

Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.

This article shows you how to install and configure Fail2ban under RHEL 6.3/6.2/6.1/6.0/5.8 CentOS 6.3/6.2/6.1/6.0/5.8 and Fedora 17,16,15,14,13,12 systems. Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.

Install Fail2ban in Centos

Install Fail2ban in RedHat / CentOS / Fedora

Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.

Installing Fail2Ban in RHEL, CentOS and Fedora

By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.

# yum install fail2ban

Configuring Default section for Fail2Ban

The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.

# vi /etc/fail2ban/jail.conf

Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Let me describe each rule section with their description and what purpose we use these rules.

  1. ignoreip : IgnoreIP section allows you to white list certain IP addresses from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
  2. bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
  3. findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
  4. maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.

Configuring ssh-iptables section for Fail2Ban

The following section is the default ssh-iptables section and it is turned on by default. So, you don’t need to make any changes to this section,

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

You can find the details of each rule described below.

  1. enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
  2. filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
  3. action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
  4. logpath : The log path is the location of logs where fail2ban will track.
  5. maxretry : The max retry section is the same definition as the default option that we discussed above.

Restarting Fail2Ban Service

Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.

# chkconfig --level 23 fail2ban on
# service fail2ban start
Starting fail2ban:                                         [  OK  ]

Verifying Fail2Ban iptables rules

Check the rules that fail2ban added in effect within the IP table section.

# iptables -L

I have made some failed login attempts from one of our server to the server where fail2ban installed and it works. You see the banned IP address of my server.

Message from syslogd@tecmint at Nov 23 13:57:53 ...
fail2ban.actions: WARNING [ssh-iptables] Ban 15.13.14.40
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp multiport dports 5901:5903,6001:6003
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP all -- 15.13.14.40 anywhere
RETURN     all  --  anywhere             anywhere

Watch Failed SSH login attempts

To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.

# cat /var/log/secure | grep 'Failed password' |  sort | uniq -c
1 Nov 19 16:53:37 tecmint sshd[28185]: Failed password for root from 172.16.25.125 port 1302 ssh2
1 Nov 23 13:57:43 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:46 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:50 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Oct 18 14:11:58 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:03 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:11 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:16 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:22 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:28 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:47 tecmint sshd[10719]: Failed password for root from 172.16.18.249 port 4774 ssh2

Remove IP Address from Fail2Ban

To remove the banned IP address from the fail2ban iptable rules. Run the following command.

# iptables -D fail2ban-ssh 1

For any additional information, please visit Fail2ban official page. If you are having any questions any comments about this article, please tell us via comments.

Ravi Saive

Owner at TecMint.com
Simple Word a Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux.

Linux Services & Free WordPress Setup

Our post is simply ‘DIY’ aka ‘Do It Yourself, still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. Please submit your orders by Clicking Here.

One Response

  1. Vincent says:

    by default all output is going to the screen in CentOS 6.3 .
    Very annoying.
    Is there anyway to change that?
    The setting says syslog, but i cannot work normally because of the output to screen.
    Thanks for the usefull guide!

    I would be interested in permanent blocking options.

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.