What is Fail2Ban
- Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks
- Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly.
- Written in the Python programming language.
- Fail2ban is a free and open source framework.
How it works
- Fail2ban scans log files (e.g. /var/log/apache/error_log, /var/log/auth.log, /var/log/apache/access.log) and bans IPs that show the malicious signs like too many password failures,seeking for exploits, etc.
- Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time
- Although any arbitrary other action (e.g. sending an email) could also be configured.
- Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
EPEL Repository Need to add
For 32 bit centos 6:
rpm -Uvh http://mirror.pnl.gov/epel//6/i386/epel-release-6-8.noarch.rpm
For 64 Bit Centos 6
rpm -Uvh http://mirror.us.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm or
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban
Fail2Ban to start automatically on boot
chkconfig –add fail2ban
chkconfig fail2ban on
Configuration of Fail2Ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# “bantime” is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated “maxretry” during the last “findtime”
findtime = 600
# “maxretry” is the number of failures before a host get banned.
maxretry = 3
Now change this file as below as required:
- Write your IP address into the ignoreip line. You can separate each address with a space.
- IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from your VPS.
- The number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules.
- This is especially useful in the case of bots, that once banned, will simply move on to the next target.
- The default is set for 10 minutes
This is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time
This is the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
service fail2ban restart
Check the Rule added by Fail2Ban