Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12
Fail2ban is an open source free intrusion prevention framework developed in python programming language. Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
This article shows you how to install and configure Fail2ban under RHEL 6.3/6.2/6.1/6.0/5.8 CentOS 6.3/6.2/6.1/6.0/5.8 and Fedora 17,16,15,14,13,12 systems. Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.
Install Fail2ban in RedHat / CentOS / Fedora
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.
Installing Fail2Ban in RHEL, CentOS and Fedora
By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# yum install fail2ban
Configuring Default section for Fail2Ban
The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
Let me describe each rule section with their description and what purpose we use these rules.
- ignoreip : IgnoreIP section allows you to white list certain IP addressess from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
- bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
- findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
- maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.
Configuring ssh-iptables section for Fail2Ban
The following section is the default ssh-iptables section and it is turned on by default. So, you don’t need to make any changes to this section,
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, [email protected]] logpath = /var/log/secure maxretry = 5
You can find the details of each rule described below.
- enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
- filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
- action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
- logpath : The log path is the location of logs where fail2ban will track.
- maxretry : The max retry section is the same definition as the default option that we discussed above.
Restarting Fail2Ban Service
Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on # service fail2ban start Starting fail2ban: [ OK ]
Verifying Fail2Ban iptables rules
Check the rules that fail2ban added in effect within the IP table section.
# iptables -L
I have made some failed login attempts from one of our server to the server where fail2babn installed and it works. You see the banned IP address of my server.
Message from [email protected] at Nov 23 13:57:53 ... fail2ban.actions: WARNING [ssh-iptables] Ban 15.13.14.40 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports 5901:5903,6001:6003 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- 15.13.14.40 anywhere RETURN all -- anywhere anywhere
Watch Failed SSH login attempts
To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' | sort | uniq -c
1 Nov 19 16:53:37 tecmint sshd[28185]: Failed password for root from 172.16.25.125 port 1302 ssh2 1 Nov 23 13:57:43 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2 1 Nov 23 13:57:46 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2 1 Nov 23 13:57:50 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2 1 Oct 18 14:11:58 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:03 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:11 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:16 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:22 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:28 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2 1 Oct 18 14:12:47 tecmint sshd[10719]: Failed password for root from 172.16.18.249 port 4774 ssh2
Remove IP Address from Fail2Ban
To remove the banned IP address from the fail2ban iptables rules. Run the following command.
# iptables -D fail2ban-ssh 1
For any additional information, please visit Fail2ban offical page. If you are having any questions any comments about this article, please tell us via comments.
I just installed Fail2ban, but I type these commands on command line, no message shows to me, and # iptables -L no infomation related to Fail2ban
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Am I missing something?
@Jerry,
On which Linux distribution you’ve installed Fail2ban? did you see failed login attempts in /var/log/secure file with the help of following command.
If you see failed login attempts, then it means your Fail2ban working properly..
I just want to allow following ports and deny all:
22
80
443
5060
How can I do that?
@Shahid,
In fail2ban jail.conf file, there is already a default configuration for SSH, use this example to open ports as per your requirements or you can use iptables firewall to open these ports as:
hi, after run yum: yum install fail2ban. I get message:
No package fail2ban available.
How can i continue?
thanks
@Bien,
Which OS distro you using?
You have to enable EPEL repo
https://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/
(Not sure if my post went through first time – noscript and didn’t see anything about moderation. So if it did go through I apologise; please remove it if so).
fail2ban is NOT an intrusion prevention system. It monitors log files so technically a breach could have already occurred. Unlikely you suggest? Well, unlikely does not mean impossible. Fact of life. It could be argued that it helps prevent brute force but only if configured properly and only if you are lucky enough.
But I’ll argue this instead: there is no such thing as an intrusion prevention system. There will always be someone who can better you. Always. You can only make it as secure as possible for your skill level but do not ever rely on software or ANYTHING by itself (key words) or else you’re bound to be disappointed, very disappointed indeed.
Secondly, as for the command:
cat /var/log/secure | grep ‘Failed password’ | sort | uniq -c
Welcome to the useless use of cat award. I would also wonder why sort and uniq (at least as is, and see end of post too). Sure, the sort makes it adjacent for uniq to work, and sure the count is all fine, (but see below) but here’s the thing: even if a failed password attempt happened at the same second (so same yyyy/mm/dd hh:mm:ss) the problem is that each connection has its on PID. So for instance, the part where you see:
sshd[19079]
the number between the brackets is the PID of the spawned session. (Also, observe the port portion; that is because of the way networking works and therefore it is going to vary so another thing to keep in mind). Also, in this case, there is no hypothetical situation where the PID is going to be the same as it is the same second. So while yes, it will show you the count, it will be the total even for the same IP (and the total will need to be calculated by you by addition). Now maybe you want that but I’m just informing you in case.
Tips:
cat file | grep ‘whatever’ should just be grep ‘whatever’ file because grep (like most Unix – and its derivatives – utilities, they read files because everything in Unix is a file, even the console input, output and error (stdin, stdout, stderr)!). So that part should be:
grep ‘Failed password’ /var/log/secure
Also: many utilities will read from ‘-‘. (without the ‘s). I suggest you look at the man pages or even –help output of utilities. Examples include cat and grep.
If you wanted to just see how many failed passwords (total), just do:
grep -c ‘Failed password’ /var/log/secure
(notwithstanding log rotation).
Contrast the grep -c to grep | wc -l (which is a useless use of wc)
Please don’t take this to be offensive, I’m just pointing out the mistakes to help others (and alert them to the fallacy of fail2ban preventing intrusion and more than that that there is such a thing) as well as hoping you can learn too. If you’re curious what I mean about useless use, look up the useless use of cat award (via a search engine). Also, one more tip (sort of, sorry for the pun): you can with more advanced command lines strip the pid, the port, and in general only show certain sections. So you could for instance make it so the only part of the line that is visible is the IP then sort and count. Example:
grep ‘Failed password’ /var/log/secure |cut -d’ ‘ -f12|sort |uniq -c
… and that could be improved upon …
but would show you lines in the form of:
count IP
Oh, in case html shows it wrong, the – is the option prefix (minus sign) to the commands. So it may appear wrong. Same goes for the ‘ which is the apostrophe (could also in this case be fine with “s).
Cheers.
by default all output is going to the screen in CentOS 6.3 .
Very annoying.
Is there anyway to change that?
The setting says syslog, but i cannot work normally because of the output to screen.
Thanks for the usefull guide!
I would be interested in permanent blocking options.