installation and configuration of fail2ban on CentOS 6

What is Fail2Ban

  • Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks
  • Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly.
  • Written in the Python programming language.
  • Fail2ban is a free and open source framework.

How it works

  • Fail2ban scans log files (e.g. /var/log/apache/error_log, /var/log/auth.log,¬†/var/log/apache/access.log) and bans IPs that show the malicious signs like too many password failures,seeking for exploits, etc.
  • Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time
  • Although any arbitrary other action (e.g. sending an email) could also be configured.
  • Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents.

Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

fail2ban ip banned
fail2ban ip banned

Install Fail2Ban

EPEL Repository  Need to add

For 32 bit centos 6:

rpm -Uvh http://mirror.pnl.gov/epel//6/i386/epel-release-6-8.noarch.rpm

For 64 Bit Centos 6

rpm -Uvh http://mirror.us.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm
or

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Installation

yum install fail2ban

Fail2Ban to start automatically on boot

chkconfig –add fail2ban

chkconfig fail2ban on

 

Configuration of Fail2Ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vi /etc/fail2ban/jail.local

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# “bantime” is the number of seconds that a host is banned.
bantime = 3600

# A host is banned if it has generated “maxretry” during the last “findtime”
# seconds.
findtime = 600

# “maxretry” is the number of failures before a host get banned.
maxretry = 3

Now change this file as below as required:

ignoreip

  • Write your IP address into the ignoreip line. You can separate each address with a space.
  • IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from your VPS.

bantime

  • The number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules.
  • This is especially useful in the case of bots, that once banned, will simply move on to the next target.
  • The default is set for 10 minutes

Maxretry

This is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time

Findtime

This is the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.

Restart Fail2Ban

service fail2ban restart

Check the Rule added by Fail2Ban

iptables -L

[xyz-ihs snippet=”Discuss”]

Leave a Reply