Fail2ban is for me one of the best security tool for a linux server. In general, it's scanning your log files. If the  defined regular expression and some rules matches, the IP will be  banned.

For example, if a bot with the IP 123.45.678.890 attack your website, try to login via ssh a few times, fail2ban will ban this IP. The bot gets a timeout for the next attempt. You can specify, inter alia, the bantime, findtime and maxretry. In this post, I want to show you how to install and configure this powerful tool.

How can I install and configure fail2ban?

First of all, fail2ban needs to be installed via yum:

yum install fail2ban

To start the service:

systemctl start fail2ban

Let fail2ban start at every boot:

systemctl enable fail2ban

Common filters are already integrated. This is a nice feature. These filters can be modified in /etc/fail2ban/filter.d/

It's probably a good idea to modify the default settings. The default values can be viewed in /etc/fail2ban/jail.conf.  If you don't set a specific configuration for your jail, these  parameters will be used. To change the settings, you have to edit /etc/fail2ban/jail.local.

nano /etc/fail2ban/jail.local
bantime = 3600 # Ban hosts for one hour:
findtime = 600 # time period to find host (10 min)
banaction = iptables-multiport
...

We now want to create a new jail. This can also be done in the file. Copy&Paste the following code to enable an apache authentication failure filter:

...
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/httpd/error_log

To activate these modifications, the service needs to be reloaded:

systemctl restart fail2ban

A few minutes/hours later, you can check if the ban of a jail took action.

fail2ban-client status

What do to, if I banned myself?

If you banned yourself, you can easily connect with another IP (Smartphone Wlan Hotspot or reconnect to your internet provider) and unban your previous IP:

fail2ban-client set JAILNAME unbanip YOUR_IP

Furthermore, you can exclude your IP in the configuration file /etc/fail2ban/jail.local: in the [DEFAULT] section add

[DEFAULT]
ignoreip = 127.0.0.1/8 YOUR_IP
...

In this tutorial you installed and started fail2ban. You also added a new filter and activated it.

I highly recommend to set up more jails to protect from server attacks. I will publish a few more guides.


Please comment below, if you have any questions.

Tested on:

  • OS: CentOS 7
  • fail2ban: 0.9.6

Credits: