How to install Fail2Ban on CentOS

Posted on April 3rd, 2018

How to install Fail2Ban on CentOS

Fail2Ban is an alternative for CSF firewall software, this will continuously monitor log files and blocks the IPs that show the malicious signs, means too many login errors, seeking for exploits, etc. This will work dynamically altering the firewall rules to ban IPs that have login failures in a certain number of times. Fail2Ban is written in Python language and which is configured via variety of files located within /etc/fail2ban directory. Unlike CSF, it’s very easy to write new regex statements to watch every log file we need. In this tutorial, I’m discussing the installation steps of Fail2Ban service on a CentOS system.

Let’s discuss about the installation of fail2ban service on CentOS server;

The Fail2ban is not available under CentOS, its provided from EPEL repository for CentOS systems. So we need to enable EPEL repository first, we can simply enable by executing the below commands:

#yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

Once done, we need to install Fail2Ban through below commands:

# yum -y install fail2ban

 

Now, we need to start the process at boot time:

# chkconfig –add fail2ban

# chkconfig fail2ban on

 

Once above steps completed, we need to make few changes to its configuration file at /etc/fail2ban/jail.conf. Here, we can set which services on your server want to be monitored, number of failed attempts before the IP address is blocked and the ban time of the IPs, etc.

Also, we can add our IPs to the trusted list on /etc/fail2ban/jail.conf file address into ignoreip line, each IP can be separated by a space.

ignoreip = 127.0.0.1 1.2.3.4 123.123.123.0/24

The bantime directive, this will show how long the IP will have blocked by the server firewall, the default value would be 600 seconds.

 

The maxentry directive is the number of failed login attempts before blocking the suspicious IP address.

 

The next one is findtime directive, is a time frame in which a host has to login, this means if an IP failed to login at this time frame the IP will be blocked. The default value would be 600 seconds.

 

The file /etc/fail2ban/jail.conf also contains many other service checks, which can be adjusted by our needs. Once everything set correctly as your needs restart fail2ban service by issuing below command.

# service fail2ban restart

 

Also, the backend of Fail2Ban is controlled by iptables, so we can list the firewall rules through Iptables command.

# iptables -L

 

If you need any further help please do reach our support department.

 

 

Leave a Reply