Fail2ban is for me one of the best security tool for a linux server. In general, it's scanning your log files. If the defined regular expression and some rules matches, the IP will be banned.
For example, if a bot with the IP 123.45.678.890 attack your website, try to login via ssh a few times, fail2ban will ban this IP. The bot gets a timeout for the next attempt. You can specify, inter alia, the bantime, findtime and maxretry. In this post, I want to show you how to install and configure this powerful tool.
How can I install and configure fail2ban?
First of all, fail2ban needs to be installed via yum:
yum install fail2ban
To start the service:
systemctl start fail2ban
Let fail2ban start at every boot:
systemctl enable fail2ban
Common filters are already integrated. This is a nice feature. These filters can be modified in /etc/fail2ban/filter.d/
It's probably a good idea to modify the default settings. The default values can be viewed in /etc/fail2ban/jail.conf. If you don't set a specific configuration for your jail, these parameters will be used. To change the settings, you have to edit /etc/fail2ban/jail.local.
bantime = 3600 # Ban hosts for one hour: findtime = 600 # time period to find host (10 min) banaction = iptables-multiport ...
We now want to create a new jail. This can also be done in the file. Copy&Paste the following code to enable an apache authentication failure filter:
... [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/httpd/error_log
To activate these modifications, the service needs to be reloaded:
systemctl restart fail2ban
A few minutes/hours later, you can check if the ban of a jail took action.
What do to, if I banned myself?
If you banned yourself, you can easily connect with another IP (Smartphone Wlan Hotspot or reconnect to your internet provider) and unban your previous IP:
fail2ban-client set JAILNAME unbanip YOUR_IP
Furthermore, you can exclude your IP in the configuration file /etc/fail2ban/jail.local: in the [DEFAULT] section add
[DEFAULT] ignoreip = 127.0.0.1/8 YOUR_IP ...
In this tutorial you installed and started fail2ban. You also added a new filter and activated it.
I highly recommend to set up more jails to protect from server attacks. I will publish a few more guides.
Please comment below, if you have any questions.
- OS: CentOS 7
- fail2ban: 0.9.6