Fail2ban
fail2ban installation and configuration
Fail2ban
Fail2ban is a program that can be installed to limit brute force attack attempts. Fail2ban allows an administrator to configure what is known as jails. These jails are specific settings for various programs such as ssh. These jails can specify how many attempts at logging in are allowed before the initiating IP address is added to a blocked list. Time limits may be specified as to how long an individual ban lasts for. In the example that follows we will install fail2ban on a CentOS 7 server. The procedure will be the same for RHEL 7, Oracle 7, Scientific Linux and Fedora 21 systems.
CentOS 7 fail2ban installation
Before we can install the "fail2ban" package we will need to install a prerequisite package known as "EPEL". Extra Packages for Enterprise Linux is an open source free community based repository project from Fedora which provides high quality add-on software packages for Linux distributions including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux.
First we can check that the EPEL package is available by using the command "yum list epel-release"
We then issue the command "yum install epel-release" to install the package.
Below is the output from the above commands:
[root@centos07a ~]# yum list epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.melbourne.co.uk
* extras: mirrors.melbourne.co.uk
* updates: mirror.bytemark.co.uk
Available Packages
epel-release.noarch
[root@centos07a ~]# yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.melbourne.co.uk
* extras: mirrors.melbourne.co.uk
* updates: mirror.bytemark.co.uk
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-5 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
epel-release noarch 7-5 extras 14 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-5.noarch.rpm | 14 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-5.noarch 1/1
Verifying : epel-release-7-5.noarch 1/1
Installed:
epel-release.noarch 0:7-5
Complete!
yum install fail2ban
Once the necessary prerequisite packages have been installed, we are ready to install the "fail2ban" package. The command used is simply "yum install fail2ban". Below is the output from the install command:
[root@centos07a ~]# yum install fail2ban
Loaded plugins: fastestmirror
epel/x86_64/metalink | 28 kB 00:00
epel | 4.4 kB 00:00
(1/2): epel/x86_64/group_gz | 250 kB 00:00
(2/2): epel/x86_64/primary_db | 4.0 MB 00:01
(1/2): epel/x86_64/pkgtags | 1.4 MB 00:00
(2/2): epel/x86_64/updateinfo | 292 kB 00:00
Loading mirror speeds from cached hostfile
* base: mirrors.melbourne.co.uk
* epel: mirror.bytemark.co.uk
* extras: mirrors.melbourne.co.uk
* updates: mirror.bytemark.co.uk
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.1-2.el7 will be installed
--> Processing Dependency: fail2ban-systemd = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-server = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-sendmail = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-firewalld = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Running transaction check
---> Package fail2ban-firewalld.noarch 0:0.9.1-2.el7 will be installed
---> Package fail2ban-sendmail.noarch 0:0.9.1-2.el7 will be installed
---> Package fail2ban-server.noarch 0:0.9.1-2.el7 will be installed
--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.1-2.el7.noarch
--> Processing Dependency: ipset for package: fail2ban-server-0.9.1-2.el7.noarch
---> Package fail2ban-systemd.noarch 0:0.9.1-2.el7 will be installed
--> Running transaction check
---> Package ipset.x86_64 0:6.19-4.el7 will be installed
--> Processing Dependency: ipset-libs = 6.19-4.el7 for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_3.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_2.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_1.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3()(64bit) for package: ipset-6.19-4.el7.x86_64
---> Package systemd-python.x86_64 0:208-11.el7_0.6 will be installed
--> Running transaction check
---> Package ipset-libs.x86_64 0:6.19-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
fail2ban noarch 0.9.1-2.el7 epel 9.2 k
Installing for dependencies:
fail2ban-firewalld noarch 0.9.1-2.el7 epel 9.4 k
fail2ban-sendmail noarch 0.9.1-2.el7 epel 12 k
fail2ban-server noarch 0.9.1-2.el7 epel 368 k
fail2ban-systemd noarch 0.9.1-2.el7 epel 9.4 k
ipset x86_64 6.19-4.el7 base 36 k
ipset-libs x86_64 6.19-4.el7 base 46 k
systemd-python x86_64 208-11.el7_0.6 updates 83 k
Transaction Summary
================================================================================
Install 1 Package (+7 Dependent packages)
Total download size: 573 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-firewalld-0.9.1-2.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fail2ban-firewalld-0.9.1-2.el7.noarch.rpm is not installed
(1/8): fail2ban-firewalld-0.9.1-2.el7.noarch.rpm | 9.4 kB 00:00
(2/8): fail2ban-0.9.1-2.el7.noarch.rpm | 9.2 kB 00:00
(3/8): fail2ban-sendmail-0.9.1-2.el7.noarch.rpm | 12 kB 00:00
(4/8): fail2ban-systemd-0.9.1-2.el7.noarch.rpm | 9.4 kB 00:00
(5/8): fail2ban-server-0.9.1-2.el7.noarch.rpm | 368 kB 00:00
(6/8): ipset-6.19-4.el7.x86_64.rpm | 36 kB 00:00
(7/8): ipset-libs-6.19-4.el7.x86_64.rpm | 46 kB 00:00
(8/8): systemd-python-208-11.el7_0.6.x86_64.rpm | 83 kB 00:00
--------------------------------------------------------------------------------
Total 650 kB/s | 573 kB 00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) "
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-5.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : systemd-python-208-11.el7_0.6.x86_64 1/8
Installing : ipset-libs-6.19-4.el7.x86_64 2/8
Installing : ipset-6.19-4.el7.x86_64 3/8
Installing : fail2ban-server-0.9.1-2.el7.noarch 4/8
Installing : fail2ban-sendmail-0.9.1-2.el7.noarch 5/8
Installing : fail2ban-systemd-0.9.1-2.el7.noarch 6/8
Installing : fail2ban-firewalld-0.9.1-2.el7.noarch 7/8
Installing : fail2ban-0.9.1-2.el7.noarch 8/8
Verifying : fail2ban-sendmail-0.9.1-2.el7.noarch 1/8
Verifying : ipset-libs-6.19-4.el7.x86_64 2/8
Verifying : fail2ban-server-0.9.1-2.el7.noarch 3/8
Verifying : ipset-6.19-4.el7.x86_64 4/8
Verifying : fail2ban-0.9.1-2.el7.noarch 5/8
Verifying : fail2ban-systemd-0.9.1-2.el7.noarch 6/8
Verifying : systemd-python-208-11.el7_0.6.x86_64 7/8
Verifying : fail2ban-firewalld-0.9.1-2.el7.noarch 8/8
Installed:
fail2ban.noarch 0:0.9.1-2.el7
Dependency Installed:
fail2ban-firewalld.noarch 0:0.9.1-2.el7
fail2ban-sendmail.noarch 0:0.9.1-2.el7
fail2ban-server.noarch 0:0.9.1-2.el7
fail2ban-systemd.noarch 0:0.9.1-2.el7
ipset.x86_64 0:6.19-4.el7
ipset-libs.x86_64 0:6.19-4.el7
systemd-python.x86_64 0:208-11.el7_0.6
Complete!
Fail2ban Configuration Files
Once the necessary packages have been installed, you can take a look at the configuration area which is located at:
/etc/fail2ban/
[root@centos07a ~]# cd /etc/fail2ban/
[root@centos07a fail2ban]# ls
action.d filter.d paths-common.conf paths-freebsd.conf
fail2ban.conf jail.conf paths-debian.conf paths-osx.conf
fail2ban.d jail.d paths-fedora.conf
The main configuration file is "jail.conf". It is recommended that you never manually edit this file. Any customizations can be created in a file called "jail.local". In the example below I have created a very basic file. You may wish to copy the original file "jail.conf" and edit this to your requirements.
Create a Basic Custom Jail - jail.local
Below is a very basic custom configuration file. The local file will override the settings that are in the "jail.conf" file.
[DEFAULT]
bantime = 600
banaction = firewallcmd-ipset
backend = systemd
ignoreip = 127.0.0.1
findtime = 600
maxretry = 3
[sshd]
enabled = true
In the above file the following attributes have been specified:
Ban Time
The time in seconds that the ban will last for. For example a value of 600 would be equal to a time period of 10 minutes.
ignoreip
Allows a list of IP address to be specified that are to be ignored from any ban. A CIDR mask format may be used to specify an address range.
findtime
This is the time interval (in seconds) before the current time where failures will count towards a ban.
maxretry
This is the number of failures that have to occur in the last findtime seconds to ban an IP address.
backend
Specifies the backend to be used to detect changes in the logpath. This defaults to "auto" which will try "pyinotify", "gamin", "systemd" before "polling". In this example I have specified "systemd".
For more information relating to any of these parameters, refer to the man page "jail.conf".
Auto Start fail2ban
Once you have created your "jail.local" configuration, you will need to set fail2ban to start automatically at system restart. To achieve this you must issue the following command:
systemctl enable fail2ban
[root@centos07a fail2ban]# systemctl enable fail2ban
[root@centos07a fail2ban]# systemctl enable fail2ban
ln -s '/usr/lib/systemd/system/fail2ban.service' '/etc/systemd/system/multi-user.target.wants/fail2ban.service'
Starting and Stopping fail2ban
To start fail2ban, issue the following command:
systemctl start fail2ban
To stop fail2ban, issue the following command:
systemctl stop fail2ban
To view the current Status of fail2ban, issue the following command:
systemctl status fail2ban
Example output from status command:
[root@centos07a fail2ban]# systemctl start fail2ban
[root@centos07a fail2ban]# systemctl status fail2ban
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: active (running) since Sat 2015-03-07 13:52:35 GMT; 5s ago
Docs: man:fail2ban(1)
Process: 11109 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 11123 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 11126 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─11126 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2...
Mar 07 13:52:35 centos07a systemd[1]: Starting Fail2Ban Service...
Mar 07 13:52:35 centos07a fail2ban-client[11123]: 2015-03-07 13:52:35,372 fai...
Mar 07 13:52:35 centos07a fail2ban-client[11123]: 2015-03-07 13:52:35,373 fai...
Mar 07 13:52:35 centos07a systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.
View Log files for fail2ban
Messages relating to fail2ban can be found in the following location: /var/log/fail2ban.log
The output below is from the fail2ban.log file:
2015-03-07 16:19:28,685 fail2ban.filter [21434]: INFO Set jail log file encoding to UTF-8
2015-03-07 16:19:28,686 fail2ban.jail [21434]: INFO Initiated 'polling' backend
2015-03-07 16:19:28,696 fail2ban.filter [21434]: INFO Added logfile = /var/log/secure
2015-03-07 16:19:28,697 fail2ban.filter [21434]: INFO Set maxRetry = 3
2015-03-07 16:19:28,698 fail2ban.filter [21434]: INFO Set jail log file encoding to UTF-8
2015-03-07 16:19:28,699 fail2ban.actions [21434]: INFO Set banTime = 600
2015-03-07 16:19:28,700 fail2ban.filter [21434]: INFO Set findtime = 600
2015-03-07 16:19:28,701 fail2ban.filter [21434]: INFO Set maxlines = 10
2015-03-07 16:19:28,744 fail2ban.server [21434]: INFO Jail sshd is not a JournalFilter instance
2015-03-07 16:19:28,857 fail2ban.jail [21434]: INFO Jail 'sshd' started
Testing fail2ban
The easiest way to test our configuration is to actually attempt to login to the server running "fail2ban". To do this simply "ssh" to the server and try to login using the wrong password. Our configuration specifies "maxRetry = 3. This means after the third attempt within the allotted time, we will receive a ban for the specified period of time.
Below is the output from our remote server attempting to login using the wrong password:
john@ubuntu01-pc:~$ ssh john@192.168.0.16
john@192.168.0.16's password:
Permission denied, please try again.
john@192.168.0.16's password:
Permission denied, please try again.
john@192.168.0.16's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
john@ubuntu01-pc:~$ ssh john@192.168.0.16
ssh: connect to host 192.168.0.16 port 22: Connection refused
john@ubuntu01-pc:~$ ssh john@192.168.0.16
ssh: connect to host 192.168.0.16 port 22: Connection refused
From the above we can see that the ban was applied after the third unsuccessful attempt.
Below is the view from the "fail2ban.log file":
2015-03-07 16:19:28,685 fail2ban.filter [21434]: INFO Set jail log file encoding to UTF-8
2015-03-07 16:19:28,686 fail2ban.jail [21434]: INFO Initiated 'polling' backend
2015-03-07 16:19:28,696 fail2ban.filter [21434]: INFO Added logfile = /var/log/secure
2015-03-07 16:19:28,697 fail2ban.filter [21434]: INFO Set maxRetry = 3
2015-03-07 16:19:28,698 fail2ban.filter [21434]: INFO Set jail log file encoding to UTF-8
2015-03-07 16:19:28,699 fail2ban.actions [21434]: INFO Set banTime = 600
2015-03-07 16:19:28,700 fail2ban.filter [21434]: INFO Set findtime = 600
2015-03-07 16:19:28,701 fail2ban.filter [21434]: INFO Set maxlines = 10
2015-03-07 16:19:28,744 fail2ban.server [21434]: INFO Jail sshd is not a JournalFilter instance
2015-03-07 16:19:28,857 fail2ban.jail [21434]: INFO Jail 'sshd' started
2015-03-07 16:26:02,414 fail2ban.filter [21434]: INFO [sshd] Found 192.168.0.9
2015-03-07 16:26:11,456 fail2ban.filter [21434]: INFO [sshd] Found 192.168.0.9
2015-03-07 16:26:16,478 fail2ban.filter [21434]: INFO [sshd] Found 192.168.0.9
2015-03-07 16:26:17,589 fail2ban.actions [21434]: NOTICE [sshd] Ban 192.168.0.9
If you look at the last 4 lines of output, you can clearly see that the ban was applied after the third unsuccessful attempt. The duration of the ban will last for the specified amount of time (600 seconds).
After this time period, the ban will be removed from the IP address. This can be seen from the last entries from the "fail2ban.log":
2015-03-07 16:26:17,589 fail2ban.actions [21434]: NOTICE [sshd] Ban 192.168.0.9
2015-03-07 16:36:18,420 fail2ban.actions [21434]: NOTICE [sshd] Unban 192.168.0.9