Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12

by | Published: November 26, 2012 | Last Updated: November 23, 2012

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

8 Responses

  1. Jerry Chan says:
    March 28, 2016 at 3:50 pm

    I just installed Fail2ban, but I type these commands on command line, no message shows to me, and # iptables -L no infomation related to Fail2ban
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Am I missing something?

    Reply
    • Ravi Saive says:
      March 28, 2016 at 4:56 pm

      @Jerry,

      On which Linux distribution you’ve installed Fail2ban? did you see failed login attempts in /var/log/secure file with the help of following command.

      # cat /var/log/secure | grep 'Failed password' |  sort | uniq -c

      If you see failed login attempts, then it means your Fail2ban working properly..

      Reply
  2. Shahid says:
    July 14, 2015 at 11:27 am

    I just want to allow following ports and deny all:
    22
    80
    443
    5060

    How can I do that?

    Reply
    • Ravi Saive says:
      July 14, 2015 at 11:44 am

      @Shahid,
      In fail2ban jail.conf file, there is already a default configuration for SSH, use this example to open ports as per your requirements or you can use iptables firewall to open these ports as:

      # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT
      Reply
  3. Bien Quang Cao says:
    December 21, 2014 at 11:40 am

    hi, after run yum: yum install fail2ban. I get message:
    No package fail2ban available.

    How can i continue?

    thanks

    Reply
  4. Cody says:
    September 19, 2014 at 7:13 pm

    (Not sure if my post went through first time – noscript and didn’t see anything about moderation. So if it did go through I apologise; please remove it if so).

    fail2ban is NOT an intrusion prevention system. It monitors log files so technically a breach could have already occurred. Unlikely you suggest? Well, unlikely does not mean impossible. Fact of life. It could be argued that it helps prevent brute force but only if configured properly and only if you are lucky enough.

    But I’ll argue this instead: there is no such thing as an intrusion prevention system. There will always be someone who can better you. Always. You can only make it as secure as possible for your skill level but do not ever rely on software or ANYTHING by itself (key words) or else you’re bound to be disappointed, very disappointed indeed.

    Secondly, as for the command:
    cat /var/log/secure | grep ‘Failed password’ | sort | uniq -c

    Welcome to the useless use of cat award. I would also wonder why sort and uniq (at least as is, and see end of post too). Sure, the sort makes it adjacent for uniq to work, and sure the count is all fine, (but see below) but here’s the thing: even if a failed password attempt happened at the same second (so same yyyy/mm/dd hh:mm:ss) the problem is that each connection has its on PID. So for instance, the part where you see:

    sshd[19079]

    the number between the brackets is the PID of the spawned session. (Also, observe the port portion; that is because of the way networking works and therefore it is going to vary so another thing to keep in mind). Also, in this case, there is no hypothetical situation where the PID is going to be the same as it is the same second. So while yes, it will show you the count, it will be the total even for the same IP (and the total will need to be calculated by you by addition). Now maybe you want that but I’m just informing you in case.

    Tips:

    cat file | grep ‘whatever’ should just be grep ‘whatever’ file because grep (like most Unix – and its derivatives – utilities, they read files because everything in Unix is a file, even the console input, output and error (stdin, stdout, stderr)!). So that part should be:

    grep ‘Failed password’ /var/log/secure

    Also: many utilities will read from ‘-‘. (without the ‘s). I suggest you look at the man pages or even –help output of utilities. Examples include cat and grep.

    If you wanted to just see how many failed passwords (total), just do:

    grep -c ‘Failed password’ /var/log/secure
    (notwithstanding log rotation).

    Contrast the grep -c to grep | wc -l (which is a useless use of wc)

    Please don’t take this to be offensive, I’m just pointing out the mistakes to help others (and alert them to the fallacy of fail2ban preventing intrusion and more than that that there is such a thing) as well as hoping you can learn too. If you’re curious what I mean about useless use, look up the useless use of cat award (via a search engine). Also, one more tip (sort of, sorry for the pun): you can with more advanced command lines strip the pid, the port, and in general only show certain sections. So you could for instance make it so the only part of the line that is visible is the IP then sort and count. Example:

    grep ‘Failed password’ /var/log/secure |cut -d’ ‘ -f12|sort |uniq -c

    … and that could be improved upon …
    but would show you lines in the form of:
    count IP

    Oh, in case html shows it wrong, the – is the option prefix (minus sign) to the commands. So it may appear wrong. Same goes for the ‘ which is the apostrophe (could also in this case be fine with “s).
    Cheers.

    Reply
  5. Vincent says:
    February 2, 2013 at 3:03 pm

    by default all output is going to the screen in CentOS 6.3 .
    Very annoying.
    Is there anyway to change that?
    The setting says syslog, but i cannot work normally because of the output to screen.
    Thanks for the usefull guide!

    I would be interested in permanent blocking options.

    Reply

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

I TecMint :
BEGINNER'S GUIDE FOR LINUX Start learning Linux in minutes
Vi/Vim Editor BEGINNER'S GUIDE Learn vi/vim as a Full Text Editor
Linux Foundation Certification Exam Study Guide to LFCS and LFCE
RedHat RHCSA and RHCE Certification Exam Study Ebook

Linux System Administrator Bundle with 7-Courses (96% off)

Add to Cart - $69

Ending In: 3 days

Computer Hacker Professional Certification Course (96% Off)

Add to Cart - $59

Ending In: 4 days

Linux eBooks

  1. Introducing Learn Linux In One Week and Go from Zero to Hero
  2. RedHat RHCE/RHCSA Certification Preparation Guide
  3. Linux Foundations LFCS/LFCE Certification Guide
  4. Postfix Mail Server Setup Guide for Linux
  5. Ansible Setup Guide for Linux
  6. Django Setup Guide for Linux
  7. Awk Getting Started Guide for Beginners
  8. Citrix XenServer Setup Guide for Linux

Never Miss Any Linux Tutorials, Guides, Tips and Free eBooks

Join Our Community Of 150,000+ Linux Lovers and get a weekly newsletter in your inbox

YES! SIGN ME UP