# dnf install fail2ban
The deamon is configured but if you want to make changes you shloud not do it in the .conf files.
# ll /etc/fail2ban/ drwxr-xr-x. 2 root root 4096 Oct 26 13:55 action.d -rw-r--r--. 1 root root 3017 Feb 23 2024 fail2ban.conf drwxr-xr-x. 2 root root 6 Feb 23 2024 fail2ban.d drwxr-xr-x. 3 root root 4096 Oct 26 14:56 filter.d -rw-r--r--. 1 root root 25607 Feb 23 2024 jail.conf drwxr-xr-x. 2 root root 53 Oct 26 15:23 jail.d -rw-r--r--. 1 root root 2728 Feb 23 2024 paths-common.conf -rw-r--r--. 1 root root 930 Feb 23 2024 paths-fedora.conf # cd /etc/fail2ban/ # cp fail2ban.conf fail2ban.local # cp jail.conf jail.local # vi jail.local [DEFAULT] bantime = 1h maxretry = 3 # cd jail.d/ # cp 00-firewalld.conf 00-firewalld.local # vi 00-firewalld.local
Our system use firewalld and not iptables. So we need to change iptables settings.
Find the following lines:
banaction = iptables-multiport banaction_allports = iptables-allports
If they exists and replace them with the following lines:
banaction = firewallcmd-rich-rules[actiontype=] banaction_allports = firewallcmd-rich-rules[actiontype=]
At this point, fail2ban is configured to work with Firewalld.
Settings in jail.local are global.
# systemctl start fail2ban # systemctl enable fail2ban
Where the jail.conf is the main configuration file with all available options. The jail.conf contains jail configuration for many services like, HTTP, FTP, SSH, Squid, Monit, Horde, Drupal and more. You just need to add "enabled = true" below each jail configuration section to enable the specific jail.
Now we setup the services we want to protect with fail2ban.
By default nothing is added. We have to add wat we need in the /etc/fail2ban/jail.d directory.
Bantime is in seconds. Default is automatic with increase. You can set it for the jail to a fixed value.
# systemctl restart fail2ban # fail2ban-client status # fail2ban-client status <jail>
You can find the logs in /var/log/fail2ban.log.
Let start with SSH.
To manually configure fail2ban for SSH, you will need to create a jail.local file:
# vi /etc/fail2ban/jail.d/sshd.conf
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 3 bantime = 120 ignoreip = whitelist-IP
We have a different bantime and maxtrys for sshd.
Save it and restart fail2ban.
# systemctl restart fail2ban # fail2ban-client status # fail2ban-client status sshd # fail2ban-client get sshd maxretry 3 # fail2ban-client get sshd actions The jail sshd has the following actions: firewallcmd-rich-rules #
We have now protection for ssh abuse. You can do more.
If your router has a builtin VPN server you can keep the ssh port on the router closed and only connect to sshd via the VPN tunnel from you workstation. In the LAN your server can be accessed and is protected with fail2ban.
To protect the WordPress admin panel with fail2ban, you will need to download the fail2ban filter configuration file for WordPress. You can download it with the following command:
# wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf
Next, create a jail for WordPress by editing the file jail.local:
# vi /etc/fail2ban/jail.d/wordpress.conf
Add the following lines:
[wordpress] enabled = true filter = wordpress logpath = /var/log/httpd/blog.example.com-access_log maxretry = 3 port = http,https bantime = 300
The mandatory parameters are show in the jail below.
You can find a part of it in /etc/fail2ban/jail.conf
[postfix] enabled = true filter = postfix port = 25, 465, 587 logpath = /var/log/maillog.log backend = %(postfix_backend)s
# fail2ban-client status Status |- Number of jail: 4 `- Jail list: dovecot, postfix, sshd, wordpress # fail2ban-client status dovecot Status for the jail: dovecot |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=dovecot.service `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
At this point, fail2ban is configured to protect the SSH service. Now, it's time to check whether fail2ban is working.
Now, go to the remote machine and try to connect to the SSH server with an incorrect password. After reaching the max number of retries (5 times), your IP address will be blocked by fail2ban.
Now, check the IP address blocked by fail2ban using the following command:
# fail2ban-client status sshd
You should get the following output:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 27.61.171.115
You can check the rules added by Firewalld with the following command:
# firewall-cmd --list-rich-rules
You will get the following output:
rule family="ipv4" source address="27.61.171.115" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"You can also check the fail2ban logs for more information:
# tail /var/log/fail2ban.log
Sample output:
2021-11-17 10:37:21,837 fail2ban.filter [21186]: INFO [sshd] Found 27.61.171.115 - 2021-11-17 10:37:21 2021-11-17 10:37:21,859 fail2ban.actions [21186]: NOTICE [sshd] Ban 27.61.171.115 2021-11-17 10:37:27,220 fail2ban.filter [21186]: INFO [sshd] Found 27.
If you want to block any remote IP address manually for SSH service, run the following command:
# fail2ban-client set sshd banip <remote-ip-address>
You can also check the Iptables rules added by fail2ban with the following command:
# iptables -nL
By default, fail2ban automatically unban the banned IPs at a predefined interval of time which you have specified in jail.local file.
To unban the banned IP manually, run the following command:
# fail2ban-client set sshd unbanip remote-ip-address
You can also add the trusted remote IPs in the jail.local file so that fail2ban will ignore those IPs.
# vi /etc/fail2ban/jail.local
Add the following lines at the top of the file:
[DEFAULT] ignoreip = trusted-ip1 trusted-ip2
Save and close the file. Then, restart fail2ban to apply the configuration.
# systemctl restart fail2ban