Installing Fail2Ban on Rocky Linux 8

Hello,

In this week’s feature highlight, we look at How to Fail2Ban on Rocky Linux 8

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs, etc. And uses iptables profiles to block brute-force attempts.

To install Fail2ban, The EPEL repository needs to be installed first.

yum install epel-release

Note: It will prompt for several permission Press “y” and “Enter” to continue.

Next, install fail2ban package.

yum install fail2ban

Note: This will prompt for several permissions, Press “y” and “Enter” to continue.

Set fail2ban to start on boot automatically,

systemctl enable fail2ban

Configuring local file settings.

Jail.conf contains a section which Configuration settings can be done for the fail2ban, we are not going edit this file because package upgrade can overwrite this file.

Jail.local contains same section where jail.conf file contains and it can override this values.

/etc/fail2ban/jail.d/ can override both jails.local and jails.conf files

First we begin with the jail.local file.

Open the file for editing,

nano /etc/fail2ban/jail.local

Add the following content,

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

If server uses firewalld instead of iptables, simply comment the banaction line

Restarting the Fail2Ban service to load new settings.

systemctl restart fail2ban

To check status

fail2ban-client status

Output:

Status
|- Number of jail:      1
`- Jail list:   sshd

To view detailed information of sshd

fail2ban-client status sshd

Ouput:

[root@server ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     238
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 19
   |- Total banned:     19
   `- Banned IP list:   221.131.165.56 183.89.70.240 211.200.178.178 218.92.0.207 221.181.185.143 221.181.185.220 189.207.242.90 120.246.124.254 51.254.84.249 103.20.34.169 218.22.36.135 1.179.185.50 171.245.229.51 106.55.240.205 212.64.60.50 58.240.52.43 209.141.60.60 171.225.250.69 221.181.185.151

Modify the content of the file /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

Setting ban time

#ban time setting to 600sec
bantime = 600 

Setting conditions to ban a client

findtime = 600 
maxretry = 3

In this example, the client is blocked if he makes 3 unsuccessful login attempts with in 10 mins.

To check the details of banned IPs and number of login attempts,

fail2ban-client status sshd

Output:

[root@server ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 5
|  |- Total failed:     262
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 21
   |- Total banned:     21
   `- Banned IP list:   221.131.165.56 183.89.70.240 211.200.178.178 218.92.0.207 221.181.185.143 221.181.185.220 189.207.242.90 120.246.124.254 51.254.84.249 1        03.20.34.169 218.22.36.135 1.179.185.50 171.245.229.51 106.55.240.205 212.64.60.        50 58.240.52.43 209.141.60.60 171.225.250.69 221.181.185.151 142.93.215.8 222.18        7.238.136

(Visited 281 times, 1 visits today)