Overview
In this guide we will install fail2ban on a Linux based operating system. Installing and configuring fail2ban is important when your system is accessible from public network.One of the vulnerable ports or service is “ssh” which grants access to the system, even though if the system is configured to grant access only for authorized users with sshd enabled.
This issue can be mitigated with “Fail2Ban”, wherein automatic rule will be created to block access of unsuccessful login attempts with a specific time frame.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters.
Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set / configured amount of time or permanently.
Fail2ban can also alert you through email that an attack is occurring.
Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.
Applies To
- RHEL 7
Pre-Requisites
- Python 2.6 or higher
- epel-release repository is installed on the server.
- To install, run the command; yum install epel-release -y
Package Install – Fail2Ban
After installing “epel-release” repository package; install fail2ban-firewalld package, run the command;yum install fail2ban-firewalld -y
Verify Package Install – Fail2Ban
In order to verify if the package has been installed, you can run the below command; alternatively, you can verify using the command “yum history”.rpm -qai fail2ban* | grep -E "Name|\ Install Date"
Fail2Ban – Configuration
Before we start the service starting let us look into the configuration files and its purpose.Jail – Configuration Files Types
fail2ban has 4 configuration file types; that is responsible stored in “/etc/fail2ban/” folder. Listed below are the configuration files and its purpose.| Configuration Files | |
|---|---|
| fail2ban.conf | Fail2Ban global configuration (such as logging) |
| filter.d/*.conf | Filters specifying how to detect authentication failures |
| action.d/*.conf | Actions defining the commands for banning and unbanning of IP address |
| jail.conf | Jails defining combinations of Filters with Actions. |
Jail Configuration Files – Parsing Order
fail2ban will parse all the configuration files in the following order; first all *.conf and subsequently *.local will be parsed.| Configuration File / Directory | Parsing Order |
|---|---|
| jail.conf | First Parsing File |
| jail.d/*.conf | Files in directory; all files with extension .conf files are parsed in alphabetical order |
| jail.local | Next Parsing File |
| jail.d/*.local | Files in directory; all files with extension .local files are parsed in alphabetical order |
jail.conf - Configuration Files
*.conf files are distributed by Fail2Ban by default located under “/etc/fail2ban/” folder. It is recommended that *.conf files should remain unchanged to ease upgrades. If needed, customizations should be provided in *.local files.jail.local – Configuration Files
In .local files specify only the settings that you intend to change and the rest of the configuration will then come from the corresponding .conf file which is parsed first.Configure – Enable SSH Port Monitoring
In order to monitor ssh port and ban hosts that fail to authenticate on the server. The configuration below in the file “/etc/fail2ban/jail.local” will ban the IP address for one hour who try to connect on ssh port.Add the below entry in the fail2ban local configuration into file; vi /etc/fail2ban/jail.local
[DEFAULT]
# Ban hosts for one day:
bantime = 86400
# Monitoring SSH Service
[sshd]
enabled = true
# Ignore IP
ignoreip = 127.0.0.1/8 192.168.1.1/24 192.168.3.1/24 192.168.7.1/24
# Max Retry Times
maxretry = 3
# Find Number of attempts
findtime = 3600
Enable and Start Service – fail2ban
After adding customized configuration the “jail.local” file, enable and start “fail2ban” service, run the command;systemctl enable fail2ban; systemctl status fail2ban -l
Next step is to start the service, to start run the command;
systemctl start fail2ban; systemctl status fail2ban -l
View Firewall Rules
After starting fail2ban service, a firewall rule will be automatically be added into “Direct interface”;Direct Interface, which enables directly passing rules to iptables, ip6tables and ebtables.
It is primarily intended for use by applications.
The direct interface is used by adding the --direct option to the firewall-cmd command.
firewall-cmd --direct --get-all-rules
Next, to know the if jail has been configured successfully, run the command;
fail2ban-client status
You can also know the status of IP Addresses that have timed out, with “ipset” – IP sets administration tool, run the command;
ipset list fail2ban-sshd
IP Address Whitelisting
In order to add a IP Address to white-listing, add entry to the “ignoreip” attribute, to add additional new IP Address or CIDR separated by space.ignoreip = 127.0.0.1/8 192.168.1.1/24
Banning IP Address
In order to add a IP Address to ban list, following attributes can to be customized.| Attribute | Purpose |
|---|---|
| bantime | The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent. The default value of 600 is set to ban an IP for a 10-minute duration. |
| findtime | The length of time between login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after five (5) failed log-in attempts, those 5 attempts must occur within the set 10-minute findtime limit. The findtime value should be a set number of seconds. |
| maxretry | How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3. |
EMail Alerts
In order to configure email alerts these attributes have to be configured, email notification will sent to destemail (recipient).| Attribute | Purpose |
|---|---|
| destemail | The email address where you would like to receive the emails. |
| sendername | The name under which the email shows up. |
| sender | The email address from which Fail2ban will send emails.. |
fail2ban Client – Command
fail2ban can be managed with command line, "fail2ban-client" command; listed below are the various argument’s and its purpose.| Command | Purpose |
|---|---|
| start | Starts the Fail2ban server and jails. |
| reload | Reloads Fail2ban’s configuration files. |
| reload JAIL NAME | Replaces JAIL with the name of a Fail2ban jail; this will reload the jail. |
| stop | Terminates the server. |
| status | Will show the status of the server, and enable jails. |
| status JAIL NAME | Will show the status of the jail, including any currently-banned IPs. |
fail2ban Client – Status
To know the current jail status, run the command;fail2ban-client status
fail2ban Client – Status Jail Name
To know the current jail status of specific jail (name), run the command;fail2ban-client status sshd
Service Management – fail2ban
By default after installation, fail2ban is not enabled not started automatically, so in the next steps we will enable and start the service and subsequently configure the firewall rules.Enable Service – fail2ban
To enable daemon and start at OS startup and check the
status of the service, run the command;
systemctl enable fail2ban
Start Service – fail2ban
To start the daemon and check the status of the service, run
the command;
Stop Service – fail2ban
To stop the daemon and check the status of the service, run
the command;
Restart Service – fail2ban
To restart the daemon and check the status of the service,
run the command;
Slideshare Info
A step by step guide is uploaded to slideshare.
No comments:
Post a Comment