Fail2ban

fail2ban installation and configuration

Fail2ban


Fail2ban is a program that can be installed to limit brute force attack attempts. Fail2ban allows an administrator to configure what is known as jails. These jails are specific settings for various programs such as ssh. These jails can specify how many attempts at logging in are allowed before the initiating IP address is added to a blocked list. Time limits may be specified as to how long an individual ban lasts for. In the example that follows we will install fail2ban on a CentOS 7 server. The procedure will be the same for RHEL 7, Oracle 7, Scientific Linux and Fedora 21 systems.



CentOS 7 fail2ban installation


Before we can install the "fail2ban" package we will need to install a prerequisite package known as "EPEL". Extra Packages for Enterprise Linux is an open source free community based repository project from Fedora which provides high quality add-on software packages for Linux distributions including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux.

First we can check that the EPEL package is available by using the command "yum list epel-release"

We then issue the command "yum install epel-release" to install the package.

Below is the output from the above commands:



[root@centos07a ~]# yum list epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.melbourne.co.uk
 * extras: mirrors.melbourne.co.uk
 * updates: mirror.bytemark.co.uk
Available Packages
epel-release.noarch  

[root@centos07a ~]# yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.melbourne.co.uk
 * extras: mirrors.melbourne.co.uk
 * updates: mirror.bytemark.co.uk
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-5 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch             Version         Repository        Size
================================================================================
Installing:
 epel-release           noarch           7-5             extras            14 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-5.noarch.rpm                                |  14 kB   00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-5.noarch                                      1/1 
  Verifying  : epel-release-7-5.noarch                                      1/1 

Installed:
  epel-release.noarch 0:7-5                                                     

Complete!

yum install fail2ban


Once the necessary prerequisite packages have been installed, we are ready to install the "fail2ban" package. The command used is simply "yum install fail2ban". Below is the output from the install command:



[root@centos07a ~]# yum install fail2ban
Loaded plugins: fastestmirror
epel/x86_64/metalink                                     |  28 kB     00:00     
epel                                                     | 4.4 kB     00:00     
(1/2): epel/x86_64/group_gz                                | 250 kB   00:00     
(2/2): epel/x86_64/primary_db                              | 4.0 MB   00:01     
(1/2): epel/x86_64/pkgtags                                 | 1.4 MB   00:00     
(2/2): epel/x86_64/updateinfo                              | 292 kB   00:00     
Loading mirror speeds from cached hostfile
 * base: mirrors.melbourne.co.uk
 * epel: mirror.bytemark.co.uk
 * extras: mirrors.melbourne.co.uk
 * updates: mirror.bytemark.co.uk
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.1-2.el7 will be installed
--> Processing Dependency: fail2ban-systemd = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-server = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-sendmail = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Processing Dependency: fail2ban-firewalld = 0.9.1-2.el7 for package: fail2ban-0.9.1-2.el7.noarch
--> Running transaction check
---> Package fail2ban-firewalld.noarch 0:0.9.1-2.el7 will be installed
---> Package fail2ban-sendmail.noarch 0:0.9.1-2.el7 will be installed
---> Package fail2ban-server.noarch 0:0.9.1-2.el7 will be installed
--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.1-2.el7.noarch
--> Processing Dependency: ipset for package: fail2ban-server-0.9.1-2.el7.noarch
---> Package fail2ban-systemd.noarch 0:0.9.1-2.el7 will be installed
--> Running transaction check
---> Package ipset.x86_64 0:6.19-4.el7 will be installed
--> Processing Dependency: ipset-libs = 6.19-4.el7 for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_3.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_2.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3(LIBIPSET_1.0)(64bit) for package: ipset-6.19-4.el7.x86_64
--> Processing Dependency: libipset.so.3()(64bit) for package: ipset-6.19-4.el7.x86_64
---> Package systemd-python.x86_64 0:208-11.el7_0.6 will be installed
--> Running transaction check
---> Package ipset-libs.x86_64 0:6.19-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch         Version              Repository     Size
================================================================================
Installing:
 fail2ban                 noarch       0.9.1-2.el7          epel          9.2 k
Installing for dependencies:
 fail2ban-firewalld       noarch       0.9.1-2.el7          epel          9.4 k
 fail2ban-sendmail        noarch       0.9.1-2.el7          epel           12 k
 fail2ban-server          noarch       0.9.1-2.el7          epel          368 k
 fail2ban-systemd         noarch       0.9.1-2.el7          epel          9.4 k
 ipset                    x86_64       6.19-4.el7           base           36 k
 ipset-libs               x86_64       6.19-4.el7           base           46 k
 systemd-python           x86_64       208-11.el7_0.6       updates        83 k

Transaction Summary
================================================================================
Install  1 Package (+7 Dependent packages)

Total download size: 573 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-firewalld-0.9.1-2.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fail2ban-firewalld-0.9.1-2.el7.noarch.rpm is not installed
(1/8): fail2ban-firewalld-0.9.1-2.el7.noarch.rpm           | 9.4 kB   00:00     
(2/8): fail2ban-0.9.1-2.el7.noarch.rpm                     | 9.2 kB   00:00     
(3/8): fail2ban-sendmail-0.9.1-2.el7.noarch.rpm            |  12 kB   00:00     
(4/8): fail2ban-systemd-0.9.1-2.el7.noarch.rpm             | 9.4 kB   00:00     
(5/8): fail2ban-server-0.9.1-2.el7.noarch.rpm              | 368 kB   00:00     
(6/8): ipset-6.19-4.el7.x86_64.rpm                         |  36 kB   00:00     
(7/8): ipset-libs-6.19-4.el7.x86_64.rpm                    |  46 kB   00:00     
(8/8): systemd-python-208-11.el7_0.6.x86_64.rpm            |  83 kB   00:00     
--------------------------------------------------------------------------------
Total                                              650 kB/s | 573 kB  00:00     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) "
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-5.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : systemd-python-208-11.el7_0.6.x86_64                         1/8 
  Installing : ipset-libs-6.19-4.el7.x86_64                                 2/8 
  Installing : ipset-6.19-4.el7.x86_64                                      3/8 
  Installing : fail2ban-server-0.9.1-2.el7.noarch                           4/8 
  Installing : fail2ban-sendmail-0.9.1-2.el7.noarch                         5/8 
  Installing : fail2ban-systemd-0.9.1-2.el7.noarch                          6/8 
  Installing : fail2ban-firewalld-0.9.1-2.el7.noarch                        7/8 
  Installing : fail2ban-0.9.1-2.el7.noarch                                  8/8 
  Verifying  : fail2ban-sendmail-0.9.1-2.el7.noarch                         1/8 
  Verifying  : ipset-libs-6.19-4.el7.x86_64                                 2/8 
  Verifying  : fail2ban-server-0.9.1-2.el7.noarch                           3/8 
  Verifying  : ipset-6.19-4.el7.x86_64                                      4/8 
  Verifying  : fail2ban-0.9.1-2.el7.noarch                                  5/8 
  Verifying  : fail2ban-systemd-0.9.1-2.el7.noarch                          6/8 
  Verifying  : systemd-python-208-11.el7_0.6.x86_64                         7/8 
  Verifying  : fail2ban-firewalld-0.9.1-2.el7.noarch                        8/8 

Installed:
  fail2ban.noarch 0:0.9.1-2.el7                                                 

Dependency Installed:
  fail2ban-firewalld.noarch 0:0.9.1-2.el7                                       
  fail2ban-sendmail.noarch 0:0.9.1-2.el7                                        
  fail2ban-server.noarch 0:0.9.1-2.el7                                          
  fail2ban-systemd.noarch 0:0.9.1-2.el7                                         
  ipset.x86_64 0:6.19-4.el7                                                     
  ipset-libs.x86_64 0:6.19-4.el7                                                
  systemd-python.x86_64 0:208-11.el7_0.6                                        

Complete!


Fail2ban Configuration Files


Once the necessary packages have been installed, you can take a look at the configuration area which is located at:

/etc/fail2ban/



[root@centos07a ~]# cd /etc/fail2ban/
[root@centos07a fail2ban]# ls
action.d       filter.d   paths-common.conf  paths-freebsd.conf
fail2ban.conf  jail.conf  paths-debian.conf  paths-osx.conf
fail2ban.d     jail.d     paths-fedora.conf

The main configuration file is "jail.conf". It is recommended that you never manually edit this file. Any customizations can be created in a file called "jail.local". In the example below I have created a very basic file. You may wish to copy the original file "jail.conf" and edit this to your requirements.


Create a Basic Custom Jail - jail.local


Below is a very basic custom configuration file. The local file will override the settings that are in the "jail.conf" file.



[DEFAULT]
bantime = 600
banaction = firewallcmd-ipset
backend = systemd
ignoreip = 127.0.0.1
findtime = 600
maxretry = 3

[sshd]
enabled = true

In the above file the following attributes have been specified:


Ban Time


The time in seconds that the ban will last for. For example a value of 600 would be equal to a time period of 10 minutes.


ignoreip


Allows a list of IP address to be specified that are to be ignored from any ban. A CIDR mask format may be used to specify an address range.


findtime


This is the time interval (in seconds) before the current time where failures will count towards a ban.


maxretry


This is the number of failures that have to occur in the last findtime seconds to ban an IP address.


backend


Specifies the backend to be used to detect changes in the logpath. This defaults to "auto" which will try "pyinotify", "gamin", "systemd" before "polling". In this example I have specified "systemd".

For more information relating to any of these parameters, refer to the man page "jail.conf".


Auto Start fail2ban


Once you have created your "jail.local" configuration, you will need to set fail2ban to start automatically at system restart. To achieve this you must issue the following command:

systemctl enable fail2ban



[root@centos07a fail2ban]# systemctl enable fail2ban

[root@centos07a fail2ban]# systemctl enable fail2ban
ln -s '/usr/lib/systemd/system/fail2ban.service' '/etc/systemd/system/multi-user.target.wants/fail2ban.service'

Starting and Stopping fail2ban


To start fail2ban, issue the following command:

systemctl start fail2ban

To stop fail2ban, issue the following command:

systemctl stop fail2ban

To view the current Status of fail2ban, issue the following command:

systemctl status fail2ban

Example output from status command:



[root@centos07a fail2ban]# systemctl start fail2ban
[root@centos07a fail2ban]# systemctl status fail2ban
fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
   Active: active (running) since Sat 2015-03-07 13:52:35 GMT; 5s ago
     Docs: man:fail2ban(1)
  Process: 11109 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 11123 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 11126 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─11126 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2...

Mar 07 13:52:35 centos07a systemd[1]: Starting Fail2Ban Service...
Mar 07 13:52:35 centos07a fail2ban-client[11123]: 2015-03-07 13:52:35,372 fai...
Mar 07 13:52:35 centos07a fail2ban-client[11123]: 2015-03-07 13:52:35,373 fai...
Mar 07 13:52:35 centos07a systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.

View Log files for fail2ban


Messages relating to fail2ban can be found in the following location: /var/log/fail2ban.log

The output below is from the fail2ban.log file:



2015-03-07 16:19:28,685 fail2ban.filter         [21434]: INFO    Set jail log file encoding to UTF-8
2015-03-07 16:19:28,686 fail2ban.jail           [21434]: INFO    Initiated 'polling' backend
2015-03-07 16:19:28,696 fail2ban.filter         [21434]: INFO    Added logfile = /var/log/secure
2015-03-07 16:19:28,697 fail2ban.filter         [21434]: INFO    Set maxRetry = 3
2015-03-07 16:19:28,698 fail2ban.filter         [21434]: INFO    Set jail log file encoding to UTF-8
2015-03-07 16:19:28,699 fail2ban.actions        [21434]: INFO    Set banTime = 600
2015-03-07 16:19:28,700 fail2ban.filter         [21434]: INFO    Set findtime = 600
2015-03-07 16:19:28,701 fail2ban.filter         [21434]: INFO    Set maxlines = 10
2015-03-07 16:19:28,744 fail2ban.server         [21434]: INFO    Jail sshd is not a JournalFilter instance
2015-03-07 16:19:28,857 fail2ban.jail           [21434]: INFO    Jail 'sshd' started

Testing fail2ban


The easiest way to test our configuration is to actually attempt to login to the server running "fail2ban". To do this simply "ssh" to the server and try to login using the wrong password. Our configuration specifies "maxRetry = 3. This means after the third attempt within the allotted time, we will receive a ban for the specified period of time.

Below is the output from our remote server attempting to login using the wrong password:



john@ubuntu01-pc:~$ ssh john@192.168.0.16
john@192.168.0.16's password: 
Permission denied, please try again.
john@192.168.0.16's password: 
Permission denied, please try again.
john@192.168.0.16's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
john@ubuntu01-pc:~$ ssh john@192.168.0.16
ssh: connect to host 192.168.0.16 port 22: Connection refused
john@ubuntu01-pc:~$ ssh john@192.168.0.16
ssh: connect to host 192.168.0.16 port 22: Connection refused

From the above we can see that the ban was applied after the third unsuccessful attempt.

Below is the view from the "fail2ban.log file":



2015-03-07 16:19:28,685 fail2ban.filter         [21434]: INFO    Set jail log file encoding to UTF-8
2015-03-07 16:19:28,686 fail2ban.jail           [21434]: INFO    Initiated 'polling' backend
2015-03-07 16:19:28,696 fail2ban.filter         [21434]: INFO    Added logfile = /var/log/secure
2015-03-07 16:19:28,697 fail2ban.filter         [21434]: INFO    Set maxRetry = 3
2015-03-07 16:19:28,698 fail2ban.filter         [21434]: INFO    Set jail log file encoding to UTF-8
2015-03-07 16:19:28,699 fail2ban.actions        [21434]: INFO    Set banTime = 600
2015-03-07 16:19:28,700 fail2ban.filter         [21434]: INFO    Set findtime = 600
2015-03-07 16:19:28,701 fail2ban.filter         [21434]: INFO    Set maxlines = 10
2015-03-07 16:19:28,744 fail2ban.server         [21434]: INFO    Jail sshd is not a JournalFilter instance
2015-03-07 16:19:28,857 fail2ban.jail           [21434]: INFO    Jail 'sshd' started
2015-03-07 16:26:02,414 fail2ban.filter         [21434]: INFO    [sshd] Found 192.168.0.9
2015-03-07 16:26:11,456 fail2ban.filter         [21434]: INFO    [sshd] Found 192.168.0.9
2015-03-07 16:26:16,478 fail2ban.filter         [21434]: INFO    [sshd] Found 192.168.0.9
2015-03-07 16:26:17,589 fail2ban.actions        [21434]: NOTICE  [sshd] Ban 192.168.0.9

If you look at the last 4 lines of output, you can clearly see that the ban was applied after the third unsuccessful attempt. The duration of the ban will last for the specified amount of time (600 seconds).

After this time period, the ban will be removed from the IP address. This can be seen from the last entries from the "fail2ban.log":



2015-03-07 16:26:17,589 fail2ban.actions        [21434]: NOTICE  [sshd] Ban 192.168.0.9
2015-03-07 16:36:18,420 fail2ban.actions        [21434]: NOTICE  [sshd] Unban 192.168.0.9