What is fail2ban?
Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
1. Install Fail2Ban
For RHEL 6
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
For RHEL 7
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install fail2ban
2. Copy the Configuration File
The default fail2ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.
We need to copy this to a file called jail.local for fail2ban to find it:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3. Configure defaults in Jail.Local
The first section of defaults covers the basic rules that fail2ban will follow to all services enabled for fail2ban that are not overridden in the service's own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.
You can see the default section below.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
4. Add a jail file to protect SSH
Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.
So lets create a new jail for SSH with the vi editor.
vi /etc/fail2ban/jail.d/sshd.local
In the above file, add the following lines of code:
[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600
5. Restart Fail2Ban
service fail2ban restart
iptables -L
Check Fail2Ban Status
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
fail2ban-client status
You can also query a specific jail status using the following command:
fail2ban-client status sshd
Manually Unban IP Banned by Fail2Ban
If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:
fail2ban-client set JAIL unbanip IP
eg. Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:
fail2ban-client set sshd unbanip 192.168.1.101
Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
1. Install Fail2Ban
For RHEL 6
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
For RHEL 7
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install fail2ban
2. Copy the Configuration File
The default fail2ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.
We need to copy this to a file called jail.local for fail2ban to find it:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3. Configure defaults in Jail.Local
The first section of defaults covers the basic rules that fail2ban will follow to all services enabled for fail2ban that are not overridden in the service's own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.
You can see the default section below.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
4. Add a jail file to protect SSH
Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.
So lets create a new jail for SSH with the vi editor.
vi /etc/fail2ban/jail.d/sshd.local
In the above file, add the following lines of code:
[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600
5. Restart Fail2Ban
service fail2ban restart
iptables -L
Check Fail2Ban Status
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
fail2ban-client status
You can also query a specific jail status using the following command:
fail2ban-client status sshd
Manually Unban IP Banned by Fail2Ban
If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:
fail2ban-client set JAIL unbanip IP
eg. Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:
fail2ban-client set sshd unbanip 192.168.1.101
