Fail2ban, it is a security based application for your Unix based server. The fail2ban service is commonly used to protect your SSH and FTP from unauthorized connection. Here I am explaining the installation and basic configurations steps of fail2ban service for CentOS 5.x, 6.x Rhel 5.x, 6.x operating systems.
Simply, the fail2ban application scans the log files and fetches the failed as well as fraudulent login attempts and blocks that particular IPs. Generally Fail2ban allication is used to update the iptables rules to reject. That means, this application find out the fraud IP address from the server log files and reject them for a particular time period by using iptables. It’s very helpful to protect the server from Brute-Force-Attack. By using the service Fail2ban, we can protect different services on the server like SSH, FTP, Apache, Lighttpd etc. The installation and configuration of Fail2ban is simple.
For more protection you can install and configure different firewall applications like CSF, APF etc. Here is the link for that:
Fail2ban Installation Steps:
Step 1 : Repository Installation.
The fail2ban application is available in EPEL RPM Repository. Make sure that your server has the repo for fail2ban installation, if it is not there, you need to install the repo. The repo installation steps for CentOS and RHEL are pasted below:
CentOS/RHEL 6, 32 Bit (i386): # rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm CentOS/RHEL 6, 64 Bit x86_64): # rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm CentOS/RHEL 5, 32 Bit (i386): # rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm CentOS/RHEL 5, 64 Bit (x86_64): # rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Step 2 : Install package using YUM:
# yum install fail2ban
Done 🙂 . It’s the simple step for installing the package fail2ban.
Basic setups for fail2ban configurations:
The fail2ban application’s configuration file is located under /etc. The conf file is pasted below:
Basic configurations are listed under the [DEFAULT] heading in the configuration file for fail2ban.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
You can find out a lot of security rules in the fail2ban conf file such as ssh-iptables, proftpd-iptables, sasl-iptables, apache-tcpwrapper etc.
How to protect SSH/SFTP using fail2ban ?
After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, firstname.lastname@example.org] logpath = /var/log/secure maxretry = 5
# service fail2ban restart
Protect your FTP server by using fail2ban:
[proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, email@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6
# service fail2ban restart