Wednesday, 24 January 2018

How to install Fail2ban in rhel 6 & 7

What is fail2ban?

Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.


1. Install Fail2Ban



For RHEL 6


rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm


For RHEL 7


rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install fail2ban



2. Copy the Configuration File



The default fail2ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.


We need to copy this to a file called jail.local for fail2ban to find it:



cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local




3. Configure defaults in Jail.Local



The first section of defaults covers the basic rules that fail2ban will follow to all services enabled for fail2ban that are not overridden in the service's own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.


You can see the default section below.


[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


4. Add a jail file to protect SSH


Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.


So lets create a new jail for SSH with the vi editor.



vi /etc/fail2ban/jail.d/sshd.local


In the above file, add the following lines of code:


[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600


5. Restart Fail2Ban



service fail2ban restart


iptables -L



Check Fail2Ban Status


Use fail2ban-client command to query the overall status of the Fail2Ban jails.


fail2ban-client status



You can also query a specific jail status using the following command:

fail2ban-client status sshd


Manually Unban IP Banned by Fail2Ban


If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:


fail2ban-client set JAIL unbanip IP



eg. Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:


fail2ban-client set sshd unbanip 192.168.1.101

No comments:

Post a Comment

Permanent hostname setup for RHEL7

Step 1 Set the host name on NMTUI tool like following nmtui set host name   then save and exit Step 2 add the following l...