Skip to content

How to install Fail2Ban on CentOS 7 – Step by Step Guide

This is a how to on installing Fail2Ban on CentOS 7.  Fail2Ban is an incredibly useful, and often necessary, package that will automatically block IP addresses attempting to brute-force attack your server(s). For instance, with Fail2Ban installed, if an IP address attempts to brute-force login user “root” on your server, one a certain number of attempted logins is reached within a designated time period, it will automatically insert an IPtables rule into your firewall to block all access from that IP address for a specified period of time. Of course, you set all of these variables in the configuration file, which I’ll go into later on. I have yet to have a public facing server be online more than a day before a brute force attack of some sort is encountered. The best practice is to use secure passwords, with upper case, lower case, numbers and a few symbols. Never use dictionary based passwords. With effective, secure passwords it would take a very, very long time to gain access to a server by means of brute force, but it is possible. Regardless, it’s best to block these attacks from the beginning. It is all automated with Fail2Ban.

This guide assumes you have a CentOS 7 installation and have ran yum update.  It requires you have root SSH access to the server.

First, you need to install the EPEL repository.  Fail2Ban is not available from CentOS, with the available repositories.

cd /tmp

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/epel-release-7-5.noarch.rpm

After the EPEL RPM is installed, we can install Fail2Ban using yum

yum install fail2ban

By default, there is no jail.local file, which Fail2Ban uses to configure “jails.” There is, however, a template file included, ready for you to copy. To do so, run:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

This is where you will do almost, if not all, Fail2Ban configuration. By default, each section/jail is configured and turned off. Go ahead and open you jail.local file with your editor of choice (I prefer nano).

nano /etc/fail2ban/jail.local

You can see part of the default file below:

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command 
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

In the ignoreip line, you will want to add your ip address to make sure you don’t accidently block yourself. It is here that you can “whitelist” as many IP addresses as you like, each separated with a simple space.

The next three options, bantime, findtime, and maxretry are very important. Bantime tells Fail2Ban how long to ban an IP address when the threshold is met. Findtime is the max amount of time Fail2Ban allows for the maximum retries (or login attempts) before blocking an IP address. Of course, maxretry is the maximum number of login attempts. You will want to tune this to your liking. All time based options are counted in seconds. So, 3600 (seconds) would mean 60 minutes, or one hour.

Next, it would be a good idea to configure your email info so Fail2Ban knows where to send notifications. You will find these configuration options in the Actions section.

# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = [email protected]@localhost

# Sender email address used solely for some actions
sender = [email protected]

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

The destemail should be set to the email address where you want to receive alerts and ban notifications (ie, your email address). Sender should be set as the “from” address you’d like the notification emails to appear they are coming from. And finally, mta should be set to the mail transfer agent you are using on your system. From what I’ve read, this can be set as sendmail, or mail, but I was unable to get Fail2Ban to even start when changing mta to mail. So, I recommend leaving this as sendmail. You can run a yum install sendmail if you don’t have it installed already, but it’s highly unlikely you don’t.

There is one more option we need to configure in the actions section, and this is the action variable itself. It looks like this, all the way at the end of the actions section.

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

In a nutshell, if this is left default, action_, it will ban IP addresses without notifying you. If you set it to action_mw, you will get an email report with the IP, as well as a WHOIS report with information about the IP address. You can also set this to action_mwl, and you will get the IP and WHOIS information, as well as the relevant lines in the log file concerning the ban action. I prefer setting this to action = %(action_mwl)s because the more information I have, the better informed I’ll be.

Now you need to configure at least one jail. SSH should definitely be monitored by Fail2Ban as it’s one of the most common brute-forced services, and extremely important. So, we’ll use that as an example. Go ahead and scroll down until you see:

#
# JAILS
#

#
# SSH servers
#

[sshd]

port    = ssh
logpath = %(sshd_log)s

If you take a minute to look at the Jails section, you will see that each Jail is organized between [] brackets. So this is the [sshd] (SSH daemon) Jail. By default, each jail is configured as disabled. Either with a enabled = false, or with no enabled line at all. The net effect of both is that the jail is disabled. If you want to enable a jail, simply insert enabled = true under the jail configuration. So, this is what the SSH Jail looks like after being enabled:

[sshd]

port    = ssh
logpath = %(sshd_log)s
enabled	= true

Now, the SSH Jail is configured, with the default options, using the time and retry info we set before. Now, simply go through the file and enable the other jails you would like to enable. Each Jail (or filter) corrasponds to a file in the fail2ban/actions.d folder with the same name, that includes the information needed to make the Jails functional. You shouldn’t need to modify any of those files, but take a look after were finished with this guide so you know what you’re working with. After you’ve enabled all the jails needed, save your jail.local file (if using nano, simple do a CTRL>X, then Y (for yes to save) and then an Enter. Now we are back at the command line and we need to restart Fail2Ban so the changes are applied. Here’s how you do that:

sudo service fail2ban restart

If all goes well, you should this:

sudo service fail2ban restart
Redirecting to /bin/systemctl restart  fail2ban.service

To make sure everything is working, lets check iptables using this command:

iptables -L

You should see references to Fail2Ban for each jail you configured, for example:

f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere 

These are just two examples. As long as you see Fail2Ban references after running iptables -L, then you should be good to go. If you configured the email options, you should get notifications when IP addresses are blocked. You can also check the Fail2Ban log file to make sure everything is functional:

cat /var/log/fail2ban.log

What you see depends on whether or not any IP addresses have been blocked yet. This is an example of what you might see towards the bottom:

2015-04-10 01:10:08,998 fail2ban.filter         [12493]: INFO    Set jail log file encoding to UTF-8
2015-04-10 01:10:08,998 fail2ban.actions        [12493]: INFO    Set banTime = 3600
2015-04-10 01:10:08,999 fail2ban.filter         [12493]: INFO    Set findtime = 600
2015-04-10 01:10:09,021 fail2ban.jail           [12493]: INFO    Creating new jail 'directadmin'
2015-04-10 01:10:09,022 fail2ban.jail           [12493]: INFO    Jail 'directadmin' uses poller
2015-04-10 01:10:09,023 fail2ban.filter         [12493]: INFO    Set jail log file encoding to UTF-8
2015-04-10 01:10:09,023 fail2ban.jail           [12493]: INFO    Initiated 'polling' backend
2015-04-10 01:10:09,028 fail2ban.filter         [12493]: INFO    Added logfile = /var/log/directadmin/login.log
2015-04-10 01:10:09,028 fail2ban.filter         [12493]: INFO    Set maxRetry = 10
2015-04-10 01:10:09,029 fail2ban.filter         [12493]: INFO    Set jail log file encoding to UTF-8
2015-04-10 01:10:09,030 fail2ban.actions        [12493]: INFO    Set banTime = 3600
2015-04-10 01:10:09,031 fail2ban.filter         [12493]: INFO    Set findtime = 600
2015-04-10 01:10:09,034 fail2ban.filter         [12493]: INFO    Date pattern set to `'^%Y:%m:%d-%H:%M:%S'`: `^Year:Month:Day-24hour:Minute:Second`
2015-04-10 01:10:09,201 fail2ban.jail           [12493]: INFO    Jail 'sshd' started
2015-04-10 01:10:12,382 fail2ban.jail           [12493]: INFO    Jail 'apache-auth' started
2015-04-10 01:10:14,161 fail2ban.jail           [12493]: INFO    Jail 'pure-ftpd' started
2015-04-10 01:10:19,521 fail2ban.jail           [12493]: INFO    Jail 'directadmin' started

As long as you don’t see anything out of the ordinary here, you should be good to go! If you want to dig deeper into all the available Jails, filters and configuration options, you should skim through the Fail2Ban official documentation. It goes very in depth. Here are some links for you.

Fail2Ban Official Manual

If you do happen to run into any problems, the official FAQ might be able to help you. I would check it before looking elsewhere. You can click here to see the FAQ in English (other languages are available)

And last but not least, the Fail2Ban wiki has a pretty sweet HowTo section with some great information. You can click here to take a look.