Fail2ban is a very useful application for you if you are managing the security of the server, or you are running your own VPS or physical server. Fail2ban scan log files created on the system and has the ability to ban IPs which found malicious based on configuration rules. We can use it for monitoring various system services logs like Apache, SSH and blog the IPs which are trying to breach the system’s security.
Step 1 – Install Fail2ban on CentOS
First of all, enable epel-release yum repository on your CentSO system. Then install the Fail2ban rpm package using the following commands.
sudo yum install epel-release sudo yum install fail2ban
Step 2 – Fail2ban Default Configuration
Fail2ban provides its own security configuration file /etc/fail2ban/jail.conf, but we need to create a copy of this file as jail.local.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo vi /etc/fail2ban/jail.local
Now we need to make necessary changes in jail.local file to create ban rules. Edit this file in your favorite editor and make changes in [DEFAULT] section.
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will use as always allowed,
# so add your system ip to protect your ip from banned.
ignoreip = 127.0.0.1/8 192.168.1.0/24 18.104.22.168
# "bantime" is the total number of seconds that a host is banned (3600sec = 1 Hour ).
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below
# settings, 2 minutes
findtime = 120
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Step 3 – Protect SSH/SFTP
After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.
enabled = true filter = sshd action = iptables[name=SSH, port=22, protocol=tcp] sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 3
Step 4 – Protect FTP
Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.
[vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=21, protocol=tcp] sendmail-whois[name=VSFTPD, [email protected]] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800
Step 4 – Restart Fail2ban Service
After making all the changes save your file and restart Fail2ban service using the following command.
sudo service fail2ban restart