How to Install and Configure Fail2Ban
Fail2Ban is an easy tool that can be used to secure connections to your server. It is easy to get running and only needs some minor adjustments to protect your server. However you do have a lot of options to tweak the settings and fine tune your protection to fit your needs.
This guide covers how to secure SSH. Both HTTP and HTTPS can also be secured the same way, with the same options.
The perquisites to install Fail2Ban are listed below:
nano (I use nano as a text editor, but VI works just as good)
Sudo up to root
[user@server ~]# sudo -I
We then need to make sure that the EPEL repository is available, as this is where Fail2Ban is installed from.
[root@server ~]# yum repolist
Check for entries in the repo list that start with epel, if they are unavailable do the following to add it.
[root@server ~]# yum install -y wget
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@server ~]# rpm -ivh epel-release-latest-7.noarch.rpm
[root@server ~]# yum repolist
Once epel has been added we can then install fail2ban
[root@server ~]# yum install fail2ban fail2ban-systemd
Fail2Ban config files are located in: /etc/fail2ban
Fail2Ban uses a jail.local file to provide all the settings that it applies to incoming connections. The file jail.conf contains all the default values for the settings, so make a copy of the file and call it jail.local. This ensures a master copy remains in jail.conf. Any values that are defined in the jail.local file overwrite any settings in the jail.conf file.
[root@server ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
To set custom settings for your connections you create a jail file for each connection type you want to customize.
For this example we are going to create a ssh config file and define some custom values
[root@server ~]# nano /etc/fail2ban/jail.d/sshd
The contents of the file should be as follows:
enabled = true
port = ssh
action = %(action_mwl)s
logpath = %(sshd_log)s
maxretry = 4
bantime = 86400
mta = sendmail
sender = USER@DOMAIN.COM
destmail = USER@DOMAIN.COM
These options are were the magic happens, these settings override the ones in the jail.local we made previously. These individual ‘jail files’ allow you to fine tune the settings for each connection type. You can setup things such as email alerts, number of times the connection is allowed to retry and set a custom log path.
These settings can be useful on a per connection type basis, as you can set the number of attempts allowed which can be important to lock down certain connections and allow multiple retries on others.
The settings are as follows:
enabled = true # is the file allowed to be active
port = ssh # which connection type are you securing
action = # In the jail.local file there are examples of actions that you can set which have a number of banning options, they are:
action = %(action_)s # this will just ban the incoming IP
action = %(action_mw)s # this will ban an IP and send a message to an email address specified in “destmail”
action = %(action_mwl)s # this will ban the IP, send an email and include the relevent logs
logpath = # Lets you set a custom path to a new logfile output if you want to seperate them
maxretry = # How many login attempts are allowed before the IP is banned