Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12
Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
This article shows you how to install and configure Fail2ban under RHEL 6.3/6.2/6.1/6.0/5.8 CentOS 6.3/6.2/6.1/6.0/5.8 and Fedora 17,16,15,14,13,12 systems. Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.
Installing Fail2Ban in RHEL, CentOS and Fedora
By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# yum install fail2ban
Configuring Default section for Fail2Ban
The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
Let me describe each rule section with their description and what purpose we use these rules.
- ignoreip : IgnoreIP section allows you to white list certain IP addresses from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
- bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
- findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
- maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.
Configuring ssh-iptables section for Fail2Ban
The following section is the default ssh-iptables section and it is turned on by default. So, you don’t need to make any changes to this section,
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, email@example.com] logpath = /var/log/secure maxretry = 5
You can find the details of each rule described below.
- enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
- filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
- action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
- logpath : The log path is the location of logs where fail2ban will track.
- maxretry : The max retry section is the same definition as the default option that we discussed above.
Restarting Fail2Ban Service
Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on # service fail2ban start Starting fail2ban: [ OK ]
Verifying Fail2Ban iptables rules
Check the rules that fail2ban added in effect within the IP table section.
# iptables -L
I have made some failed login attempts from one of our server to the server where fail2ban installed and it works. You see the banned IP address of my server.
Message from syslogd@tecmint at Nov 23 13:57:53 ... fail2ban.actions: WARNING [ssh-iptables] Ban 220.127.116.11 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports 5901:5903,6001:6003 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- 18.104.22.168 anywhere RETURN all -- anywhere anywhere
Watch Failed SSH login attempts
To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' | sort | uniq -c
1 Nov 19 16:53:37 tecmint sshd: Failed password for root from 172.16.25.125 port 1302 ssh2 1 Nov 23 13:57:43 tecmint sshd: Failed password for root from 22.214.171.124 port 57599 ssh2 1 Nov 23 13:57:46 tecmint sshd: Failed password for root from 126.96.36.199 port 57599 ssh2 1 Nov 23 13:57:50 tecmint sshd: Failed password for root from 188.8.131.52 port 57599 ssh2 1 Oct 18 14:11:58 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:03 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:11 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:16 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:22 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:28 tecmint sshd: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:47 tecmint sshd: Failed password for root from 172.16.18.249 port 4774 ssh2
Remove IP Address from Fail2Ban
To remove the banned IP address from the fail2ban iptable rules. Run the following command.
# iptables -D fail2ban-ssh 1
For any additional information, please visit Fail2ban official page. If you are having any questions any comments about this article, please tell us via comments.