×


Install and Configure Fail2ban on Red Hat Enterprise Linux 8 - Step by Step Process ?

Fail2ban is an open-source intrusion prevention software for Linux and other Unix-like systems. Fail2ban works by scanning log files for failed authentication attempts or other signs of potential intrusion. 

It can automatically update firewall rules to ban (block) offending IP addresses for a predefined period of time.

By default, Fail2Ban provides filters for various services such as ssh, apache, and so on.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Fail2ban queries.

In this context, we shall look into steps to install Fail2ban on Red Hat Enterprise Linux 8 (RHEL 8) and configure the ssh service filter.


How to install Fail2ban on Red Hat Enterprise Linux 8 ?

Before proceeding with this installation procedure, ensure that you have a user with sudo capability.

On RHEL 8, Fail2ban is available through the Extra Packages for Enterprise Linux (EPEL) repository. 

i. If you do not already have EPEL installed, run the command below:

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

ii. Also, it is recommended to enable the codeready-builder-for-rhel-8-*-rpms repository since EPEL packages may depend on packages from it. 

Run the next commands to do that:

$ sudo ARCH=$( /bin/arch )
$ sudo subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"

iii. Next, update available packages as follows:

$ sudo yum update

iv. Now, install Fail2ban with the command below:

$ sudo dnf install fail2ban

When prompted, enter y to proceed to install Fail2ban.

v. After the installation completes successfully, run the following command to check the status of the fail2ban service:

$ sudo systemctl status fail2ban

vi. If you do not get an output that indicates that the Fail2ban service is active, then run the next command to start the service:

$ sudo systemctl start fail2ban

After that, check the status of the fail2ban service to confirm that it is now active.

vii. Press q to return to the command prompt.


How to Configure Fail2ban on Red Hat Enterprise Linux 8 ?

i. The configuration files for Fail2ban are stored in /etc/fail2ban and you can list them as follows:

$ ls /etc/fail2ban

As earlier mentioned, Fail2ban provides filters for popular services including ssh. 

These filters are stored in the /etc/fail2ban/filter.d directory.

Fail2ban's global configuration file is jail.conf but it is not recommended to directly modify this file because it could be overwritten during a distribution upgrade. Instead, we are going to create a jail.local file and make our global configuration changes there.

Further, it is also advisable to create separate jail files in the /etc/fail2ban/jail.d directory for each service that you intend to protect.

ii. Now, run the command below to create the jail.local configuration file based on the existing jail.conf file:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

iii. Open the jail.local file for editing:

$ sudo nano /etc/fail2ban/jail.local

Look for the ignoreip option and uncomment it by deleting the preceding # symbol.


The ignoreip option is used to specify IP addresses or network ranges that Fail2ban should never block. 

The default value points to localhost and this should prevent the system from interfering with itself. 

You can add other IP addresses separated by a space or comma.

Save and close the jail.local file.


How to Configure ssh filter for Fail2ban ?

i. Run the command below to create a separate jail file for the ssh service:

$ sudo nano /etc/fail2ban/jail.d/sshd.local

ii. Copy and paste the following custom configuration settings into the sshd.local file:

[sshd]
enabled = true
maxretry = 3
bantime = 5m

Note:

1. maxretry is the number of failures before the offending IP address is blocked

2. bantime is how long an offending IP address will be blocked for. In the example above, 5m denotes 5 minutes. 

You can change this as desired. For example, 1h would mean 1 hour. 

And if you do not specify either m or h, the value would be in seconds.


iii. Save and close the sshd.local file.

iv. Restart Fail2ban with the next command:

$ sudo systemctl restart fail2ban


How to Test Fail2ban ?

To illustrate, we are going to initiate failed login attempts to my RHEL 8 system from another computer via ssh. 

You may do the same.

i. The failed login attempts will be logged to /var/log/fail2ban.log and you can see this in real time with the command below:

$ sudo tail -f /var/log/fail2ban.log

ii. Press CTRL + C to return to the command prompt.

iii. To view information about banned IP addresses for the ssh service, run the next command:

$ sudo fail2ban-client status sshd

iv. To unblock a banned IP, run the command below. Replace <IP> with the actual IP address:

$ sudo fail2ban-client set sshd unbanip <IP>


[Need assistance in fixing Fail2ban errors on your Linux Server? We can help you. ]


Conclusion

This article covers the installation of Fail2ban and the configuration of an sshd filter. There are so many options to configure but we focused on the basic ones. Feel free to peruse the Fail2ban man pages by running man fail2ban to discover what more you can do with it.

Fail2ban is a free, open-source and widely used intrusion prevention tool that scans log files for IP addresses that show malicious signs such as too many password failures, and much more, and it bans them (updates firewall rules to reject the IP addresses). 

By default, it ships with filters for various services including sshd.


To install  and configure Fail2ban on CentOS/RHEL 8:

1. After logging into your system, access a command-line interface, then enable the EPEL repository on your system:

# dnf install epel-release

OR

# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

2. Afterward, install the Fail2ban package by running the following command:

# dnf install fail2ban

3. To start and enable the fail2ban service for now and check if it is up and running using the following systemctl command:

# systemctl start fail2ban
# systemctl enable fail2ban
# systemctl status fail2ban