Although the SSH connection is a very secure choice for connecting to a server, to function properly, the background service of SSH (referred to in computer science as a daemon) has necessarily to interface to the Internet.
Unfortunately, it’s precisely the Internet connection that makes the server exposed to various cyber-attacks, such as those of brute force. With such an attack, the user or the bot ‘bombs’ the server with random login attempts, most of the times unsuccessful, until a valid access is obtained. If you were to open the system logs of your web server or application, you could clearly see multiple login attempts and recognize an attack of this type.
Fail2ban helps you by creating rules that, after a predetermined number of failed login attempts, allows you to block the IP address that tried to access, by modifying the Iptables firewall configuration.
In this guide, you will learn how to install the Fail2ban software and automate this process to block brute force attacks through Iptables, preventing unauthorized intrusion attempts to your CentOS 8 server.
First, connect to your server via a connection SSH. If you haven't done so yet,following our guide is recommended to connect securely with the SSH protocol. In case of a local server, you can go to the next step and open the terminal of your server.
Installing Fail2ban on CentOS8
Fail2ban is not included in the official CentOS package, but is part of the EPEL ( Extra Packages for Enterprise Linux ) repository and can be installed from a release available through CentOS.
To install the release, type the command in the terminal:
$ sudo yum install epel-release
an output with a confirmation request, similar to the following should be displayed:
Install 1 Package
Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Enter y and press Enter to confirm.
Now, install the Fail2ban package via the command:
$ sudo yum install fail2ban
As before, confirm with y and press Enter to continue.
After the installation, enable the Fail2ban service using the command:
$ sudo systemctl enable fail2ban
Configuring the local settings
Fail2ban configuration files are located in the / etc / fail2ban directory . Inside the directory a file called jail.conf, which will be updated during each package upgrade, will be found.
To enter your custom settings, create a file called jail.local whose values will replace the default values present in the jail.conf file .
The Fail2ban configuration files follow a specific sequence of configuration file reading and parameter application, replacing the first values with the last entered.
To give an example: jail.conf contains a section called [DEFAULT] followed by an individual services section. jail.local replaces some of these values. Moreover, the files inside the /etc/fail2ban/jail.d/ directory can be used to override the settings specified in the previous two files.
The settings are applied in the following order:
- /etc/fail2ban/jail.d/*.conf , sorted in alphabetical order ( * indicates a name of your choice of one or more files that you may have placed in the directory)
- /etc/fail2ban/jail.d/*.local , sorted alphabetically (described as before)
Each file may contain a [DEFAULT] section and a section for individual jailsservices. The configuration will always follow the dynamics of the last entered value.
Then, start by writing a minimal version of jail.local. A new file can be created using an editor of your choice. In this example, the procedure is shown by using nano .
$sudo nano /etc/fail2ban/jail.local
Once the new file is open, copy the following lines into it to override some settings:
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
enabled = true
For clarity, inside the file:
- bantime indicates the host ban time after failing all allowed attempts (indicated in seconds);
- banaction ensures the use of iptables for firewall configuration;
- sshd indicates that the sshd jail is enabled .
Once the entry is complete, exit and save the new settings. To do so, use Ctrl + X to exit, y to save and Enter to confirm.
To apply the new changes then restart the fail2ban service using the command:
$sudo systemctl restart fail2ban
The command, if executed successfully, should not produce any output. To verify the correct functioning of the service, simply enter:
$sudo fail2ban-client status
An output similar to the following should be shown:
|- Number of jail: 1
`- Jail list: sshd
If necessary, more detailed information can also be requested by entering the command:
$sudo fail2ban-client status sshd
Exploring the settings available
With the jail.local file fixed , other settings present in the main jail.config file can always be explored; . Remember that, to make sure that the new settings are applied, it would be best to copy them from the .config file and put them in the .local file .
First, open the file via the command:
$ sudo nano /etc/fail2ban/jail.conf
Default settings for all Jails
Exploring the [DEFAULT] section :
ignoreip = 127.0.0.1/8
Through the item ignoreipaddresses with no restrictions to be applied on can be entered. The value of the local address will be shown by default, but it is possible to add as many values as you want by simply separating them with a space.
bantime = 600
Under bantime enter the duration, expressed in seconds, of the ban for the host that failed the login attempts.
findtime = 600
maxretry = 3
The findtime and maxretry entries are used to specify to Fail2ban the degree of tolerance before applying a ban to the host. The two values together indicate the number of errors allowed in a certain time interval before receiving a ban.
Taking the above case as an example, the values of the two items indicate that the ban will be applied if 3 attempts in 600 seconds (10 minutes) are wrong.
destemail = root@localhost
sendername = Fail2Ban
mta = sendmail
These three lines are used to configure the email alert for bans. In order:
- destemail specifies the email address that should receive the ban message;
- sendername specifies the name that should appear as the sender;
- mta specifies which mail service should be used.
action = $(action_)s
Through this item the action that Fail2ban will perform to institute a ban can be set. The action_ value is defined in the few lines before the mentioned setting. The default behavior will be for the firewall to ban the host for a certain amount of time.
To configure e-mail alerts, override the value action_ with action_mw . To attach specific logs, instead, enter the action_mwl value instead .
Settings for individual Jails
After the [DEFAULT] section you should come across a section where you can configure individual jails for different services. Among these a port to be banned and a logpath to track unauthorized access attempts can be found.
Taking the jail.local file as an example, an SSH jail already set up earlier with the following configuration items can be found:
port = ssh
logpath = %(sshd_log)s
The value present in port is a variable, called ssh , defined elsewhere in the standard Fail2ban configuration, which makes the jail.local file portable between different operating systems.
Another setting that may be found is filter , which will indicate whether a line in a log should indicate failed authentication.
The value of filter refers to a file present in the path /etc/fail2ban/filter.d , with its extension ( .conf ) removed. This file contains the regular expression that determines whether a line in a log is incorrect. This file is quite complex and will not be described in this guide for simplicity, as the default settings are also appropriate.
In any case, to test more filters available, browse the directory using the command:
$ ls /etc/fail2ban/filter.d
By exploring the directory, several files that contain explanatory comments on the scripts or settings within them may be found. To enable some sections of these filters, simply copy the lines in the jail.local file .
Checking Fail2ban log and Firewall configuration
It is important to check that Fail2Ban is working as expected. Start by checking the status of the service, using the command:
$ sudo systemctl status fail2ban
If something doesn't work, then check the fail2ban logs from the last boot:
$ sudo journalctl -b -u fail2ban
To interact with the Fail2ban service take advantage of the fail2ban-client command. For example, to check the active rules of the server or of some jail in particular, type:
$ sudo fail2ban-client status
$ sudo fail2ban-client status jail_name
Moreover, to check the list of the most recent actions on Fail2ban view the log file contents:
$ sudo tail -F /var/log/fail2ban.log
To close the list above, use Ctrl + C.
Check the current rules set for iptables with:
$ sudo iptables -L
iptables rules can also be shown in a format that describes the commands needed to enable each rule. To doso, use the command:
$ sudo iptables -S
To manually cancel the ban of an IP blocked by Fail2ban use the following command:
$ fail2ban-client set sshd unbanip 188.8.131.52
Clearly replace "184.108.40.206" with the IP you want to unblock. If, on the other hand, you want to manually ban the IP, use the command:
$ fail2ban-client set sshd banip 220.127.116.11
In this guide you have learned how to install and configure Fail2ban on CentOS 8 to prevent unauthorized intrusion attempts to your server, thanks to the ease of configuration of the tool.
You should now be able to use Fail2ban to set basic rules to block brute force attacks through Iptables and protect your server's authentication services, making it more secure.