How to Install Fail2Ban on CentOS/RHEL 7/6

Written by Rahul, Updated on October 19, 2019

Fail2ban is a very useful application for you if you are managing the security of the server, or you are running your own VPS or physical server. Fail2ban scan log files created on the system and has the ability to ban IPs which found malicious based on configuration rules. We can use it for monitoring various system services logs like Apache, SSH and blog the IPs which are trying to breach the system’s security.

Step 1 – Install Fail2ban on CentOS

First of all, enable epel-release yum repository on your CentSO system. Then install the Fail2ban rpm package using the following commands.

sudo yum install epel-release
sudo yum install fail2ban

Step 2 – Fail2ban Default Configuration

Fail2ban provides its own security configuration file /etc/fail2ban/jail.conf, but we need to create a copy of this file as jail.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local

Now we need to make necessary changes in jail.local file to create ban rules. Edit this file in your favorite editor and make changes in [DEFAULT] section.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will use as always allowed,
# so add your system ip to protect your ip from banned.
ignoreip = 127.0.0.1/8 192.168.1.0/24 11.22.33.44

# "bantime" is the total number of seconds that a host is banned (3600sec = 1 Hour ).
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below
# settings, 2 minutes
findtime  = 120

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will use as always allowed,

# so add your system ip to protect your ip from banned.

ignoreip = 127.0.0.1/8 192.168.1.0/24 11.22.33.44

# "bantime" is the total number of seconds that a host is banned (3600sec = 1 Hour ).

bantime = 3600

# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below

# settings, 2 minutes

findtime = 120

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

Step 3 – Protect SSH/SFTP

After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3

Step 4 – Protect FTP

Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
           sendmail-whois[name=VSFTPD, [email protected]]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

Step 4 – Restart Fail2ban Service

After making all the changes save your file and restart Fail2ban service using the following command.

sudo service fail2ban restart

Step 1 – Install Fail2ban on CentOS

Step 2 – Fail2ban Default Configuration

Step 3 – Protect SSH/SFTP

Step 4 – Protect FTP

Step 4 – Restart Fail2ban Service

Rahul

Leave a Reply