So how can you stop an attacker from continually hammering on your system in an attempt to break in? If you notice it happening by examining system logs, e.g. see Monitoring Failed SSH Logins to a CentOS System, you can put in a firewall rule to block the attacking IP address or use the route reject command, if it is a Linux system. But it is unlikely you have the time or inclination to constantly monitor the system's logs for such activity. Fail2ban is an intrustion prevention program that solves this problem. It monitors log files for you and when it spots such nefarious activity from lots of failed password entries in a log file, it will automatically configure the system's firewall to block the IP address of the attacking system.
You can check if a fail2ban package is already installed on a
CentOS
Linux system with the rpm command.
# rpm -qi fail2ban package fail2ban is not installed
If it isn't you can install it with yum install fail2ban,
though if you haven't previously installed support for the Extra Packages for
Enterprise Linux (EPEL) repository, you will need to install support for that
software repository first. A repository is a source for software packages
that can be installed with yum. EPEL is a "community approved" repository;
To determine whether
yum will query the EPEL repository and install it,
if needed, see Using the EPEL repository for a CentOS 7
system.
Once the system is configured to use the EPEL repository, you can issue the
command yum install fail2ban to install fail2ban. Once it is
installed, you will see the following files in /etc/fail2ban.
$ ls -l /etc/fail2ban total 56 drwxr-xr-x. 2 root root 4096 Apr 1 19:46 action.d -rw-r--r--. 1 root root 2328 Jul 31 2015 fail2ban.conf drwxr-xr-x. 2 root root 6 Sep 12 2015 fail2ban.d drwxr-xr-x. 3 root root 4096 Apr 1 19:46 filter.d -rw-r--r--. 1 root root 18562 Sep 12 2015 jail.conf drwxr-xr-x. 2 root root 30 Apr 1 19:46 jail.d -rw-r--r--. 1 root root 1939 Jul 31 2015 paths-common.conf -rw-r--r--. 1 root root 642 Jul 31 2015 paths-debian.conf -rw-r--r--. 1 root root 743 Jul 31 2015 paths-fedora.conf -rw-r--r--. 1 root root 1174 Jul 31 2015 paths-freebsd.conf -rw-r--r--. 1 root root 290 Jul 31 2015 paths-osx.conf
The configuration files for fail2ban, fail2ban.conf and
jail.conf, are in the /etc/fail2ban directory.
If you examine the contents of fail2ban.conf, you will see
"in most of the cases you should not modify this file, but provide
customizations in fail2ban.local file."
You will also see a similar warning in jail.conf where
the ban time and maximum number of failed login attempts is specified.
# Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.:
The default bantime of 3,600 seconds (1 hour) is listed in this file in the line shown below:
bantime = 3600
The number of failed password attempts that will trigger a ban is listed in the line below:
maxretry = 5
If you want to change either of those values or any of the other values
listed in jail.conf, don't change them there, but, instead,
create a jail.local file in the same directory. You could change
values in jail.conf or fail2ban.conf, but the
next time you update the fail2ban software, new default files may be installed
and you will lose your changes at that time. So it will likely behoove you
to modify those or other values in jail.conf in
jail.local, instead. E.g., if I wanted to increase the maximum number of
failed login attempts from 5 to 7 and enable the SSH jail, I would create a
jail.local file in /etc/fail2ban with the following
contents (no other lines would be needed in the file):
[DEFAULT] # "maxretry" is the number of failures before a host get banned. maxretry = 7 [sshd] enabled=true
Those settings would then override the ones in jail.conf and
would continue to do so, if fail2ban is updated later and a new
jail.conf file is placed on the system at that time.
In the /etc/fail2ban/jail.d directory, you will see
00-firewalld.conf.
Firewalld is the default
firewall software for CentOS 7. If you examine that file you will see it
contains the following:
# This file is part of the fail2ban-firewalld package to configure the use of # the firewalld actions as the default actions. You can remove this package # (along with the empty fail2ban meta-package) if you do not use firewalld [DEFAULT] banaction = firewallcmd-ipset
If you are using the default firewall software, FirewallD, then you can leave this file as it is.
When you are ready to use the fail2ban service, issue the command
systemctl enable fail2ban
# systemctl enable fail2ban Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.
You can start fail2ban with systemctrl start fail2ban. You
won't see any output if fail2ban starts successfully.
# systemctl start fail2ban #
You can check its status with systemctl status fail2ban.
# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2016-04-01 22:04:23 EDT; 2min 59s ago Docs: man:fail2ban(1) Process: 2073 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2076 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─2076 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fa... Apr 01 22:04:16 greendragon systemd[1]: Starting Fail2Ban Service... Apr 01 22:04:19 greendragon fail2ban-client[2073]: 2016-04-01 22:04:19,165 fa... Apr 01 22:04:19 greendragon fail2ban-client[2073]: 2016-04-01 22:04:19,167 fa... Apr 01 22:04:23 greendragon systemd[1]: Started Fail2Ban Service. Hint: Some lines were ellipsized, use -l to show in full. [root@greendragon fail2ban]#
You can also use the fail2ban-client status command:
[root@greendragon fail2ban]# fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd [root@greendragon fail2ban]#
Note: if
Security-Enhanced Linux (SELinux) is enabled on the CentOS system,
you may need to update the SELinux policy with yum update -y
selinux-policy*. You can check the status of SELinux with the
sestatus command. E.g.:
# sestatus SELinux status: disabled
If it is enabled, but in permissive mode, then log entries will be created, but applications won't be blocked, but you may still want to update the policy:
$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Next: fail2ban logging