Note, the following tutorial is a part of my engineering work entitled βHardening of a Linux-based network serverβ under the direction of Ph. D. Kordian Smolinski in the Department of Theoretical Physics WFiIS UΕ defended in June 2019.
To install Fail2Ban on CentOS 7.6, you will first need to install the EPEL (Extra Packages for Enterprise Linux) repository. EPEL contains additional packages for all versions of CentOS, one of these additional packages is Fail2Ban.
CentOS
To install Fail2Ban on CentOS 7.6, you will first need to install the EPEL (Extra Packages for Enterprise Linux) repository. EPEL contains additional packages for all versions of CentOS, one of these additional packages is Fail2Ban.
|
|
Debian/Ubuntu
For Debian/Ubuntu, a command is enough:
|
|
For CentOS, the next step is to update the SELinux rules. (Note: there is no SELinux installed on mikr.us.)
|
|
For Debian/Ubuntu there is AppArmor.
Once installed, you will need to configure and customize the software using the jail.local configuration file. The jail.local file replaces the jail.conf file and is used to ensure the security of user configuration updates.
Make a copy of the jail.conf file and save it under the name jail.local: update the SELinux policy:
|
|
Open the jail.local file for editing in Vim with the following command:
|
|
A file code can consist of multiple lines of codes that execute themselves to prevent the blocking of one or more IP addresses, set the duration of bantime, etc.. A typical prison configuration file contains the following lines:
|
|
- IgnoreIP is used to set a list of IP addresses that will not be banned. The list of IP addresses should be given with a space separator. This parameter is used to set a personal IP address (if there is access to the server from a fixed IP address).
- The Bantime parameter is used to set the duration of the seconds for which the host is to be banned.
- Findtime is used to check whether the host needs to be banned or not. When the host generates the maximum in the last findtime, it is banned.
- Maxretry is the parameter used to set the limit for the number of attempts by the host, after exceeding this limit, the host is banned.
Adding a jail file to protect SSH.
Create a new file using the vim editor.
|
|
The following lines of code should be added to the above file.
|
|
In case you are using iptables , action set as below:
|
|
- The enable parameter is set to true, in order to provide protection to disable protection, it is set to false. The filter parameter checks the sshd configuration file in /etc/fail2ban/filter.d/sshd.conf.
- The action parameter is used to derive the IP address, which must be disabled using the filter in /etc/fail2ban/action.d/iptables-allports.conf.
- All ports means that all ports will be blocked automatically. You can use iptables-multiport or firewalld-multiport if you need only βattackedβ, βspoofedβ or βknockedβ.
- The port parameter can be changed to a new value, e.g. port=2244, as is the case here. When using port 22, there is no need to change this parameter.
- The logging path gives the path where the log file is stored. This log file is scanned by Fail2Ban.
- Maxretry is used to set the maximum limit of unsuccessful login entries.
- Bantime parameter is used to set the duration of seconds for which the host must be locked.
Activation of the Fail2Ban service
If you are not using the CentOS firewalld yet, run it:
|
|
If you want to use iptables
|
|
Perform the following tasks to run Fail2Ban on the server.
|
|
Tracking fail2ban login entries
The following command is used to check which attempts to log in to the server via post ssh failed.
|
|
If you execute the above command, a list of unsuccessful attempts to enter the master password from different IP addresses will be displayed. The format of the results will be similar to the one shown below:
|
|
Checking banned IP addresses by Fail2Ban
The following command is used to obtain a list of blocked IP addresses that have been identified as threats using the brute force method.
|
|
Fail2Ban status check
Use the following command to check the status of jail files in Fail2Ban:
|
|
The result should be similar to this:
|
|
The following command will display banned IP addresses for the jail.
|
|
Deleting a banned IP address
In order to remove the IP address from the blocked list, the IPADDRESS parameter is set to the appropriate IP address, which needs to be unbanned. The name βsshdβ is the name of the prison, in this case it is the prison βsshdβ, which we have configured above. The following command allows you to remove the IP address.
|
|
Adding your own filter to increase protection
Fail2ban allows you to create your own filters. Below is a brief description of the configuration of one of them.
- Go to the filter.d Fail2ban directory
|
|
- Create a wordpress.conf file and add a regular expression to it.
|
|
|
|
Save and close the file.
- Add the WordPress section to the end of the jail.local file:
|
|
|
|
If you want to ban bots, just add the action, ban time and number of attempts, as in the case of the sshd jail described above.
The default ban and email action will be used for this purpose. Other actions can be defined by adding an action = line.
Save and exit and then run Fail2ban again with a command:
|
|
Also check if your regex works:
|
|