Using fail2ban on a CentOS 7 system

If you run a server that is accessible to anyone on the Internet, you should expect that many people and bots will attempt to break into the system, which is why you should ensure that all accounts have strong passwords. Many attackers will use a dictionary attack where they pair common account names, such as root, admin, administrator, etc. with every word in a dictionary. Or they may even pair a "name dictionary" with a dictionary for a particular language, such as English. Such dictionaries can be readily found on the Internet. Name dictionaries may be used by expectant parents looking for a name for their yet to be born child, but a malefactor may use such a dictionary as well as part of an attack against a system. E.g., an attacker may start with abe as a username and then try every word in an English language dictionary as a password. If he can't get in using abe as the user name, he might next try al, alan, ann, arthur, etc. going all the way up to names that start with the letter "z". Certainly pairing each name with every word in a dictionary would take an inordinate amount of time, if someone manually typed each username and password combination, but there is no need for an attacker to manually make guesses in an attempt to compromise a system. Instead, he can use a program that will read entries from dictionaries and submit them to the system under attack. A program can potentially submit thousands of guesses a minute if there is sufficient bandwidth between the attacking and attacked systems and sufficient CPU power on both systems. If you are responsible for a server, you are unlikely to want an attacker to have unlimited attempts to break into the system. The attacker will be using bandwidth to your server and system resources, such as CPU cycles, even if he never manages to break into the system. And, if even one user has a weak password, such as a dictionary word, sports team name, car name, etc., which may also be in a dictionary used for password guessing, granting an attacker unlimited attempts to try breaking in may result in the attacker being successful.

So how can you stop an attacker from continually hammering on your system in an attempt to break in? If you notice it happening by examining system logs, e.g. see Monitoring Failed SSH Logins to a CentOS System, you can put in a firewall rule to block the attacking IP address or use the route reject command, if it is a Linux system. But it is unlikely you have the time or inclination to constantly monitor the system's logs for such activity. Fail2ban is an intrustion prevention program that solves this problem. It monitors log files for you and when it spots such nefarious activity from lots of failed password entries in a log file, it will automatically configure the system's firewall to block the IP address of the attacking system.

You can check if a fail2ban package is already installed on a CentOS Linux system with the rpm command.

# rpm -qi fail2ban
package fail2ban is not installed

If it isn't you can install it with yum install fail2ban, though if you haven't previously installed support for the Extra Packages for Enterprise Linux (EPEL) repository, you will need to install support for that software repository first. A repository is a source for software packages that can be installed with yum. EPEL is a "community approved" repository; To determine whether yum will query the EPEL repository and install it, if needed, see Using the EPEL repository for a CentOS 7 system.

Once the system is configured to use the EPEL repository, you can issue the command yum install fail2ban to install fail2ban. Once it is installed, you will see the following files in /etc/fail2ban.

$ ls -l /etc/fail2ban
total 56
drwxr-xr-x. 2 root root  4096 Apr  1 19:46 action.d
-rw-r--r--. 1 root root  2328 Jul 31  2015 fail2ban.conf
drwxr-xr-x. 2 root root     6 Sep 12  2015 fail2ban.d
drwxr-xr-x. 3 root root  4096 Apr  1 19:46 filter.d
-rw-r--r--. 1 root root 18562 Sep 12  2015 jail.conf
drwxr-xr-x. 2 root root    30 Apr  1 19:46 jail.d
-rw-r--r--. 1 root root  1939 Jul 31  2015 paths-common.conf
-rw-r--r--. 1 root root   642 Jul 31  2015 paths-debian.conf
-rw-r--r--. 1 root root   743 Jul 31  2015 paths-fedora.conf
-rw-r--r--. 1 root root  1174 Jul 31  2015 paths-freebsd.conf
-rw-r--r--. 1 root root   290 Jul 31  2015 paths-osx.conf

The configuration files for fail2ban, fail2ban.conf and jail.conf, are in the /etc/fail2ban directory. If you examine the contents of fail2ban.conf, you will see "in most of the cases you should not modify this file, but provide customizations in fail2ban.local file."

You will also see a similar warning in jail.conf where the ban time and maximum number of failed login attempts is specified.

# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory, e.g.:

The default bantime of 3,600 seconds (1 hour) is listed in this file in the line shown below:

bantime = 3600

The number of failed password attempts that will trigger a ban is listed in the line below:

maxretry = 5

If you want to change either of those values or any of the other values listed in jail.conf, don't change them there, but, instead, create a jail.local file in the same directory. You could change values in jail.conf or fail2ban.conf, but the next time you update the fail2ban software, new default files may be installed and you will lose your chagnes at that time. So it will likely behoove you to modify those or other values in jail.conf in jail.local, instead. E.g., if I wanted to increase the maximum number of failed login attempts from 5 to 7 and enable the SSH jail, I would create a jail.local file in /etc/fail2ban with the following contents:

# "maxretry" is the number of failures before a host get banned.
maxretry = 7


Those settings would then override the ones in jail.conf and would continue to do so, if fail2ban is updated later and a new jail.conf file is placed on the system at that time.

In the /etc/fail2ban/jail.d directory, you will see 00-firewalld.conf. Firewalld is the default firewall software for CentOS 7. If you examine that file you will see it contains the following:

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
banaction = firewallcmd-ipset

If you are using the default firewall software, FirewallD, then you can leave this file as it is.

When you are ready to use the fail2ban service, issue the command systemctl enable fail2ban

# systemctl enable fail2ban
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/fail2ban.service.

You can start fail2ban with systemctrl start fail2ban. You won't see any output if fail2ban starts successfully.

# systemctl start fail2ban

You can check its status with systemctl status fail2ban.

# systemctl status fail2ban
 fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2016-04-01 22:04:23 EDT; 2min 59s ago
     Docs: man:fail2ban(1)
  Process: 2073 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 2076 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─2076 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fa...

Apr 01 22:04:16 greendragon systemd[1]: Starting Fail2Ban Service...
Apr 01 22:04:19 greendragon fail2ban-client[2073]: 2016-04-01 22:04:19,165 fa...
Apr 01 22:04:19 greendragon fail2ban-client[2073]: 2016-04-01 22:04:19,167 fa...
Apr 01 22:04:23 greendragon systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@greendragon fail2ban]#

You can also use the fail2ban-client status command:

[root@greendragon fail2ban]# fail2ban-client status
|- Number of jail:      1
`- Jail list:   sshd
[root@greendragon fail2ban]#

Note: if Security-Enhanced Linux (SELinux) is enabled on the CentOS system, you may need to update the SELinux policy with yum update -y selinux-policy*. You can check the status of SELinux with the sestatus command. E.g.:

# sestatus
SELinux status:                 disabled

If it is enabled, but in permissive mode, then log entries will be created, but applications won't be blocked, but you may still want to update the policy:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Next: fail2ban logging


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px