{"id":496,"date":"2019-05-15T17:08:18","date_gmt":"2019-05-15T17:08:18","guid":{"rendered":"https:\/\/unsrewiki.1sys1.com\/?p=496"},"modified":"2019-05-15T17:08:18","modified_gmt":"2019-05-15T17:08:18","slug":"installing-configuring-fail2ban-to-secure-your-server","status":"publish","type":"post","link":"https:\/\/server-help.org\/index.php\/2019\/05\/15\/installing-configuring-fail2ban-to-secure-your-server\/","title":{"rendered":"Installing & Configuring Fail2ban to Secure your Server"},"content":{"rendered":"\n

As we have mentioned previously<\/a>, how to Secure your Server SSH Login. Today, we are going to Install and Configure Fail2ban, to black list illegitimate connections, most likely (DDOS, Bruteforce Attacking, etc..) on your Server.<\/p>\n\n\n\n

Fail2ban is not available in CentOS package repository. Therefore, we need to install EPEL <\/a>(Extra Packages for Enterprise Linux) repository first. EPEL contains additional packages for all CentOS versions, one of these additional packages is Fail2Ban.<\/p>\n\n\n\n

First, we ensure that our System is up to date<\/p>\n\n\n\n

# yum update && yum upgrade<\/code><\/pre>\n\n\n\n
Then, we install  we will EPEL repository :<\/p>\n\n\n\n
# yum install epel-release<\/code><\/pre>\n\n\n\n
Now, we should be able to proceed with Fail2ban installation:<\/p>\n\n\n\n
# yum install fail2ban fail2ban-systemd<\/code><\/pre>\n\n\n\n
After we complete the installation, we need to enable and start the service:<\/p>\n\n\n\n
# systemctl enable fail2ban && systemctl start fail2ban<\/code><\/pre>\n\n\n\n
Now fail2ban.service has been enabled and started, the configuration file is located \/etc\/fail2ban\/jail.conf<\/strong>, we shouldn’t make any configuration in this file; because this file can be changed by Package upgrade, therefore, we will create jail.local<\/strong>. jail.local<\/strong> will override the configuration in jail.conf<\/strong><\/p>\n\n\n\n
# cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n
Now, open jail.local file, with any text editor<\/p>\n\n\n\n
# vi \/etc\/fail2ban\/jail.local\nor\n# nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n
Our Configuration will start, from [DEFAULT] line:<\/p>\n\n\n\n
[DEFAULT]\n\n# \"bantime\" is the number of seconds that a host is banned.\nbantime  = 600\n\n# A host is banned if it has generated \"maxretry\" during the last \"findtime\"\n# seconds.\nfindtime  = 600\n\n# \"maxretry\" is the number of failures before a host get banned.\nmaxretry = 5<\/code><\/pre>\n\n\n\n
By default, Fail2ban, will black list \/ ban any illegitimate connection after 5 tries for 10 Minutes (600 Seconds). We can change to whatever value your Business requires.<\/p>\n\n\n\n
Now, save you changes, and restart faile2ban service:<\/p>\n\n\n\n
# systemctl restart fail2ban.service<\/code><\/pre>\n\n\n\n
Then, we need to add jail file to protect our SSH, we create new file with text editor:<\/p>\n\n\n\n
# vi \/etc\/fail2ban\/jail.d\/sshd.local\nor\n# nano \/etc\/fail2ban\/jail.d\/sshd.local<\/code><\/pre>\n\n\n\n
Then, we add the following parameters:<\/p>\n\n\n\n
[sshd]\nenabled = true\nport = ssh\n#action = firewallcmd-ipset\nlogpath = %(sshd_log)s\nmaxretry = 5\nbantime = 86400<\/code><\/pre>\n\n\n\n
  • Parameter enabled<\/strong> is set to true, in order to provide protection to SSH.<\/li>
  • Port<\/strong> parameter can be left as it is (22), but if we changed the port we need to define the new Port.<\/li>
  • Logpath<\/strong> provides the path where the log file is stored. This log file is scanned by Fail2Ban.<\/li>
  • Maxretry<\/strong> is used to set the maximum limit for failed login entries.<\/li>
  • Bantime<\/strong> parameter is used to set the duration of seconds for which a host needs to be banned.<\/li><\/ul>\n\n\n\n
    After that, we need to restart Fail2ban service:<\/p>\n\n\n\n
    # systemctl restart fail2ban.service<\/code><\/pre>\n\n\n\n
    To track \/ check the failed attempts to login:<\/p>\n\n\n\n
    # cat \/var\/log\/secure | grep 'Failed password'\nMay 15 16:32:34 c498cf0 sshd[34695]: Failed password for invalid user oracle from 206.189.72.217 port 55742 ssh2\nMay 15 16:32:49 c498cf0 sshd[34714]: Failed password for invalid user service from 181.120.219.187 port 33146 ssh2\nMay 15 16:33:00 c498cf0 sshd[34716]: Failed password for invalid user gn from 159.203.111.100 port 43755 ssh2\nMay 15 16:33:21 c498cf0 sshd[34718]: Failed password for invalid user srvadmin from 123.30.236.149 port 54904 ssh2\nMay 15 16:33:58 c498cf0 sshd[34720]: Failed password for invalid user lv from 187.183.84.178 port 45506 ssh2\nMay 15 16:34:00 c498cf0 sshd[34722]: Failed password for invalid user mai from 213.32.90.123 port 49708 ssh2\nMay 15 16:34:16 c498cf0 sshd[34724]: Failed password for invalid user cs from 180.250.111.17 port 40409 ssh2\nMay 15 16:34:24 c498cf0 sshd[34726]: Failed password for invalid user admin from 118.25.40.16 port 42092 ssh2\nMay 15 16:34:32 c498cf0 sshd[34728]: Failed password for invalid user nelson from 209.235.67.48 port 59786 ssh2\nMay 15 16:35:16 c498cf0 sshd[34731]: Failed password for invalid user jian from 217.165.24.7 port 54734 ssh2<\/code><\/pre>\n\n\n\n
    To check Fail2ban status:<\/p>\n\n\n\n
    # fail2ban-client status\nStatus\n|- Number of jail:      1\n`- Jail list:   sshd<\/code><\/pre>\n\n\n\n
    To check the sshd jail, here we will see all banned \/ black listed IPs:<\/p>\n\n\n\n
    # fail2ban-client status sshd\nStatus for the jail: sshd\n|- Filter\n|  |- Currently failed: 1\n|  |- Total failed:     11\n|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd\n`- Actions\n   |- Currently banned: 17\n   |- Total banned:     17\n   `- Banned IP list:   118.25.40.16 118.89.166.193 123.30.236.149 141.98.81.81 159.203.111.100 180.250.111.17 181.120.219.187 182.23.64.177 206.189.72.217 209.235.67.48 213.32.90.123 217.165.24.7 37.252.190.224 45.55.156.159 104.238.116.94 31.184.135.153 124.173.71.245<\/code><\/pre>\n\n\n\n
    In order to remove any  IP address from the banned list:<\/p>\n\n\n\n
    # fail2ban-client set sshd unbanip <IPADDRESS><\/code><\/pre>\n\n\n\n
    Now our Server is Secure by Fail2ban.<\/p>\n","protected":false},"excerpt":{"rendered":"
    As we have mentioned previously, how to Secure your Server SSH Login. Today, we are going to Install and Configure Fail2ban, to black list illegitimate connections, most likely (DDOS, Bruteforce Attacking, etc..) on your Server. Fail2ban is not available in CentOS package repository. Therefore, we need to install EPEL (Extra Packages for Enterprise Linux) repository…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,11,1],"tags":[],"_links":{"self":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/496"}],"collection":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/comments?post=496"}],"version-history":[{"count":4,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/496\/revisions"}],"predecessor-version":[{"id":500,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/posts\/496\/revisions\/500"}],"wp:attachment":[{"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/media?parent=496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/categories?post=496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server-help.org\/index.php\/wp-json\/wp\/v2\/tags?post=496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}