Fail2Ban – installation and configuration in Linux

Fail2Ban – installation and configuration in Linux

The following tutorial is part of my engineering work entitled “Treatment network server based on Linux.” under the leadership of Dr. hab. Kordiana Smolińskiego at the Department of Theoretical Physics WFiIS UL obronionej in June 2019.

To install Fail2Ban on CentOS 7.6, the first thing you will need to install the EPEL repository (eng. Extra Packages for Enterprise Linux). EPEL contains extra packages for all versions of CentOS, one of these additional packages Fail2Ban.

$ sudo yum install epel-release
$ sudo yum install fail2ban fail2ban-systemd

For Debian/Ubuntu, just team:

$ sudo apt-get install fail2ban

In the case of CentOS, the following step is to update the SELinux rules. (note: the is not likely that SELinux).

$ sudo yum update -y selinux-policy*

After installation, we will need to install and configure the software using a configuration file jail.local. The file jail.replaces the local file jail.conf, and is used to ensure security, update user configuration.

Make a copy of the file jail.conf file and save it under the name of the jail.local: update SELinux policy:

cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file jail.local for editing in Vim using the following command:

$ sudo -e /etc/fail2ban/jail.local

Code file may consist of multiple lines of code that perform to prevent the locking of one or more IP addresses, to set the duration bantime, etc. Typical configuration file prison contains the following lines:

ignoreip =
ignorecommand =
bantime = 600
findtime = 600
maxretry = 5
backend = systemd

  • IgnoreIP used to configure a list of IP addresses that will not be banned. List of IP addresses must be specified separated by “space”. This parameter is used to configure a personal IP address (if has access to the server from a permanent IP address).
  • Parameter Bantime used to configure the duration of seconds that a host should be banned.
  • Findtime is a parameter that is used to verify that the node should be banned or not. When the host creates the maximum in the last findtimehe banowany.
  • Maxretry this parameter is used to configure a limit on the number of attempts within the site, after exceeding this limit, the host banowany.

Add the file prison (eng. jail), to protect SSH.

Create a new file using the Vim editor.

$ sudo -e /etc/fail2ban/jail.d/sshd.local

For the above file, add the following line of code:

enabled = true
port = ssh
action  = iptables-allports
# logpath = /var/log/secure # manualne ustawienie ścieżki 
logpath = %(sshd_log)s
findtime = 600
maxretry = 3
bantime = 86400

In the case when you use iptables, action install as shown below:

action = iptables-allports

  • Parameter enable set truein order to ensure the security in order to disable the protection, set at false. The filter parameter, check the sshd configuration file located in /etc/fail2ban/filter.d/sshd.conf.
  • Parameter action used to display the IP addresses that should be allowed through the filter a dictionary in a file /etc/fail2ban/action.d/iptables-allports.conf.
  • Parameter port you can change it to a new value, for example, port=2244, as in this case. In the case of using port 22, there is no need to change this setting.
  • Path specifies the path where you saved the log file. This log file is scanned through Fail2Ban.
  • Maxretry configures the maximum limit of unsuccessful records for login.
  • Parameter Bantime used to configure the duration of seconds that a host is to be blocked.

The launch of the service Fail2Ban

If you don’t have a firewall CentOS, run it:

$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld

If you are using iptables, this is:

>$ sudo systemctl enable iptables
$ sudo systemctl start iptables

Run the following plecenia to run Fail2Ban on the server.

$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban

Track record of login fail2ban

The following command is used to verify that try to access the server via ssh post was not successful.

cat /var/log/secure | grep 'Failed password'

Executing the above command displays a list of failed attempts to enter the master password with different IP addresses. The format of the results will look like the image below:

Feb 12 19:27:12 centos sshd[25729]: Failed password for root from port 9074 ssh2
Feb 13 15:05:35 deb_usr sshd[1617]: Failed password for invalid user pi from port 58182 ssh2

Check banned IP address through Fail2Ban

Use the following command to get a list of blocked IP addresses that were perceived as threats of brute force.

iptables -L –n

Check the status of Fail2Ban

Please use the following command to check the status of files in the jail Fail2Ban:

$ sudo fail2ban-client status

The result should be like this:

[root@htf ]# fail2ban-client status
|- Number of jail: 1
`- Jail list: sshd

This command shows its action was suspended IP addresses to your prison (jail).

$ sudo fail2ban-client status sshd

Remove zbanowanego IP addresses

To remove IP addresses from the blocked list, the parameter IPADDRESS installed on the correct IP address, which requires odbanowania. The name “sshd” is the name of the prison in this case is a prison “sshd”, which is set up above. The following command allows you to delete IP address.

$ sudo fail2ban-client set sshd unbanip IPADDRESS

Add your filter for enhanced protection

Fail2ban to create your own filters. Below is a brief description of one of them.

1. Navigate to the directory filter.d Fail2ban:

$ sudo cd /etc/fail2ban/filter.d

2. Create a file wordpress.conf and add the regular expression.

$ sudo -e wordpress.conf
#Fail2Ban filter for WordPress
failregex =  - - [(d{2})/w{3}/d{4}::: -d{4}] "POST /wp-login.php HTTP/1.1" 200
ignoreregex =

Save and close the file.

3. Add WordPress to the end of the file jail.local:

$ sudo -e /etc/fail2ban/jail.local
enabled = true
filter = wordpress
logpath = /var/log/httpd/access_log 
#CentOS Zwróć uwagę, czy jest _ czy . W pliku /etc/httpd/conf/httpd.conf masz informację, gdzie jest zapisywany log.
# logpath = /var/log/apache2/access.log // Ubuntu/Debian
port = 80,443

If we want to kick bots, you just need to add the action to the time the ban and the number of attempts, as in the case of sshd jail, as described above.

For this purpose, will be used by default ban and e-mail activity. Other actions can be defined by adding stock = line.

Save and exit, and then restart Fail2ban command:

$ sudo systemctl restart fail2ban

Also make sure Your regex works:

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/wordpress.conf
Go to our cases Get a free quote