What is fail2ban ?
fail2ban is a popular security framework to block malicious IPs addresses by scanning log files. It is written in Python.
Installation
To install Fail2ban on CentOS 7, follow below steps.
sudo yum update -y
sudo yum install epel-release
sudo yum update -y
sudo yum install -y fail2ban-firewalld
CentOS 7 has introduced firewalld to manage iptables. fail2ban-firewalld will also install firewalld if not already. Lets start it using below commands.
sudo systemctl enable firewalld
sudo systemctl start firewalld
Configuration
In /etc/fail2ban , you can find number of config files. As per standard practice, we should not edit them directly. Instead local files should be created, which override original files. Lets create local files first.
sudo touch /etc/fail2ban/fail2ban.local
sudo touch /etc/fail2ban/jail.local
A local file doesn't have to include everything in the corresponding config file, only those settings that you wish to override.
Open /etc/fail2ban/fail2ban.conf in your favourite editor like VIM or nano. Here you can see common options like loglevels, log locations, pid file location etc. You can define them again in /etc/fail2ban/fail2ban.local to change values. Most of time, you don't need to change them.
[Defination]
# change loglevel - CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
loglevel = INFO
# change log file location if required
logtarget = /var/log/fail2ban.log
# change pidfile location if required
pidfile = /var/run/fail2ban/fail2ban.pid
Now open /etc/fail2ban/jail.conf file. Configurations of jails are stored here. First comes DEFAULT section. After DEFAULT section, jails for individual applications are added. Default values for jails are added in DEFAULT section. So We only need to override required options in individual jails. All jails are disabled by default. We will enable them in jail.local file. Lets open /etc/fail2ban/jail.local and add below content.
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 15m
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 15m
# "maxretry" is the number of failures before a host get banned.
maxretry = 6
How to enable common Jails
After overriding DEFAULT section, lets enable jails for common applications. Add below content in /etc/fail2ban/jail.local to enable them.
SSH Jail
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
Apache Jail (Make sure httpd installed)
# jail for apache auth
[apache-auth]
enabled = true
[apache-overflows]
enabled = true
[apache-badbots]
enabled = true
Nginx Jail (Make sure nginx installed)
[nginx-http-auth]
enabled = true
[nginx-botsearch]
enabled = true
Now save file and start fail2ban using below commands.
Management
Once configuration is done. You can start fail2ban service using below commands.
# start service
sudo systemctl start fail2ban.service
# see current status of service - is it running or not
sudo systemctl status fail2ban.service
# stop fail2ban service
sudo systemctl stop fail2ban.service
# restart fail2ban
sudo systemctl restart fail2ban.service
# enable service to start on reboot
sudo systemctl enable fail2ban.service
How to see which jails are enabled
To see which jails are enabled use below command
fail2ban-client status
How to ignore own IPs
To stop blocking our own IPs, we can added them in DEFAULT section as below
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/32
How to unblock IP
Many times we can end blocking our own IPs by mistakes. e.g. suppose your colleague forgot SSH password and tried SSH login many times with wrong password triggering blocking his own IP. You can check if IP is really blocking by viewing IP table rules using below command.
iptables -L
Another way to see such IPs is using fail2ban-client. Run below command to see IPs blocked by specific jail.
fail2ban-client status <jailname>
e.g.
fail2ban-client status sshd
In such cases, you can easily unblock ip using below command.
fail2ban-client set <jailname> unbanip <ip-address>
e.g.
fail2ban-client set ssh unbanip 192.168.0.1
How to block IP manually
To block IP manually, use below command
fail2ban-client set <jailname> banip <ip-address>
e.g.
fail2ban-client set ssh banip 192.168.0.1