November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

How to install Fail2ban in rhel 6 & 7

How to install Fail2ban in rhel 6 & 7

What is fail2ban?

Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.


1. Install Fail2Ban

For RHEL 6

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

For RHEL 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

yum install fail2ban

2. Copy the Configuration File

The default fail2ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.

We need to copy this to a file called jail.local for fail2ban to find it:


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


3. Configure defaults in Jail.Local

The first section of defaults covers the basic rules that fail2ban will follow to all services enabled for fail2ban that are not overridden in the service’s own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.

You can see the default section below.

[DEFAULT]

# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# “bantime” is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated “maxretry” during the last “findtime”
# seconds.
findtime  = 600

# “maxretry” is the number of failures before a host get banned.
maxretry = 3

4. Add a jail file to protect SSH

Although you can add this parameters in the global jail.local file, it is a good practice to create seperate jail files for each of the services we want to protect with Fail2Ban.

So lets create a new jail for SSH with the vi editor.

vi /etc/fail2ban/jail.d/sshd.local

In the above file, add the following lines of code:

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 3
bantime = 3600

5. Restart Fail2Ban

service fail2ban restart

iptables -L

Check Fail2Ban Status

Use fail2ban-client command to query the overall status of the Fail2Ban jails.


fail2ban-client status

You can also query a specific jail status using the following command:

fail2ban-client status sshd

Manually Unban IP Banned by Fail2Ban

If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:

fail2ban-client set JAIL unbanip IP

eg. Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:

fail2ban-client set sshd unbanip 192.168.1.101

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>