Word count: 817, reading time approximately 5 minutes
Recently, there have been constant attempts to illegally log into the server, with thousands of login attempts occurring daily. Therefore, I installed <span>fail2ban</span> on the server and will document the installation and configuration process for future reference. <span>fail2ban</span> scans the log files such as <span>/var/log/auth.log</span> (for Ubuntu) or <span>/var/log/secure</span> (for CentOS) and bans IP addresses that have too many failed login attempts. It achieves this by updating the system firewall rules to reject new connections from these IP addresses within a configurable time frame. fail2ban works out of the box and can read many standard log files, such as those used for sshd and apache, and can be easily configured to read any log file of your choice to look for any errors you need (translated from the fail2ban official introduction). fail2ban is developed in <span>python</span> and requires python version 3.5 or higher. For CentOS 7, the default installation is python2, so first, we need to install python3. Here, we will compile python3 from source and install it in the /usr/local/python3 directory. Remember, you cannot replace the system’s default python2 with python3, as programs like <span>yum</span> in CentOS 7 are not compatible with python3.
1. Compiling and Installing Python3 from Source
If the system’s built-in python version >= 3.5, please skip this step!
wget https://www.python.org/ftp/python/3.7.17/Python-3.7.17.tgz
tar zxvf Python-3.7.17.tgz
cd Python-3.7.17
./configure --prefix=/usr/local/python3 --enable-optimizations
make -j4
make install
2. Installing fail2ban
git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
sudo python3 setup.py install
# Check if fail2ban is installed successfully
fail2ban-client -h
The configuration files for fail2ban will be installed in the /etc/fail2ban directory. Copy the fail2ban.service from the build directory to the /lib/systemd/system/ directory, and you can start and stop fail2ban using systemctl.
cat /lib/systemd/system/fail2ban.service
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
[Service]
Type=simple
Environment="PYTHONNOUSERSITE=1"
ExecStartPre=/bin/mkdir -p /run/fail2ban
ExecStart=/usr/local/python3/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/local/python3/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/local/python3/bin/fail2ban-client stop
ExecReload=/usr/local/python3/bin/fail2ban-client reload
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255
[Install]
WantedBy=multi-user.target
3. Simple Configuration
Here, we will only set up protection for <span>sshd</span>. The main modifications are made to <span>/etc/fail2ban/jail.conf</span> and we will also add <span>/etc/fail2ban/jail.d/sshd</span>. Below are the modified sections; the rest can be left as default (the configuration file provides detailed explanations for each option, which you can refer to).
# /etc/fail2ban/jail.conf
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
port = ssh # Modify according to your sshd configuration; if using a non-default ssh port, change it to your set port
logpath = %(sshd_log)s
backend = %(sshd_backend)s
cat /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 192.168.2.105
bantime = 86400
findtime = 300
maxretry = 3
banaction = firewallcmd-rich-rules
backend = systemd
[sshd]
enabled = true
# /etc/fail2ban/jail.d/sshd.conf
# Protection rules for sshd
[sshd]
enable = true
maxretry = 5
findtime = 10m
bantime = 24h
4. Running and Checking
systemctl enable fail2ban.service
systemctl start fail2ban
systemctl status fail2ban
# The following prompt indicates that it has started successfully
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-10-04 18:37:48 CST; 5s ago
Docs: man:fail2ban(1)
Process: 30143 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 30146 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─30146 /usr/local/python3/bin/python3 /usr/local/python3/bin/fail2ban-server -xf start
Oct 04 18:37:48 ydapp1 systemd[1]: Starting Fail2Ban Service...
Oct 04 18:37:48 ydapp1 systemd[1]: Started Fail2Ban Service.
Oct 04 18:37:49 ydapp1 fail2ban-server[30146]: Server ready
# You can check the version number with fail2ban-client version
fail2ban-client version
1.1.0.dev1
# You can check the status with fail2ban-client status
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list: