Fail2ban is a free and open-source Intrusion Prevention System (IPS) that protects the server against brute-force attacks.

After a specified number of incorrect password attempts, the client’s IP address is banned from accessing the system for a specified period or until the system administrator unblocks it. This way, the system is safeguarded from repeated brute-force attacks from a single host.

Fail2ban is highly configurable and can be set up to secure a myriad of services such as SSH, vsftpd, Apache, and Webmin.

Step 1: Ensure Firewalld is Running

By default, Almalinux / Rocky comes with Firewalld running. However, if this is not the case on your system, start Firewalld by executing:

# sudo systemctl start firewalld

Then enable it to start on boot time:

# systemctl enable firewalld

Then verify the status of Firewalld

# systemctl status firewalld
Check Firewalld Status

In addition, you can confirm all the Firewalld rules currently being enforced using the command:

# firewall-cmd --list-all
List Firewalld Rules

Step 2: Install EPEL in Almalinux

As a requirement for the installation of fail2ban and other requisite packages, you need to install the EPEL repository which provides additional high-quality packages for RHEL-based distributions.

# dnf install epel-release
Install EPEL in AlmaLinux

Step 3: Install Fail2ban in AlmaLinux

With EPEL installed, proceed and install fail2ban package.

# dnf install fail2ban

This installs the fail2ban server and the firewalld component along with other dependencies.

Install Fail2ban in AlmaLinux

With the installation of fail2ban complete, start the fail2ban service.

# systemctl start fail2ban

And enable it to start on boot time.

# systemctl enable fail2ban
# systemctl status fail2ban

The output is a confirmation that Fail2ban is running as we would expect.

Check Fail2ban Status

Step 4: Configuring Fail2ban in AlmaLinux

Moving on, we need to configure fail2ban for it to work as intended. Ideally, we would edit the main configuration file – /etc/fail2ban/jail.conf. However, this is discouraged. As a workaround will copy the contents of the jail.conf configuration file to jail.local file.

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, open the jail.local file using your preferred editor.

# vi /etc/fail2ban/jail.local

Under the [DEFAULT] section, ensure you have the following settings as they appear.

bantime = 1h
findtime = 1h
maxretry = 3

Let us define the attributes:

  • The bantime directive specifies the duration of time that a client will be banned following failed authentication attempts.
  • The findtime directive is the duration or period within which fail2ban will consider when considering repeated incorrect password attempts.
  • The maxretry parameter is the maximum number of incorrect password attempts before the remote client is blocked from accessing the server. Here, the client will be locked out after 5 authentication failures.

By default, fail2ban works with iptables. However, this has been deprecated in favor of the firewalld. We need to configure fail2ban to work alongside firewalld instead of iptables.

# mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

To apply the changes, restart fail2ban:

# systemctl restart fail2ban

Step 5: Securing SSH service with Fail2ban

By default, fail2ban does not block any remote host until you enable jail configuration for a service that you wish to secure. The jail configuration is specified in the /etc/fail2ban/jail.d path and will override the configuration specified in the jail.local file.

In this example, we will create a jail configuration file to protect the SSH service. Therefore, create the SSH jail file.

# vi /etc/fail2ban/jail.d/sshd.local

Next, paste the following lines:

[sshd]
enabled = true

# Override the default global configuration
# for specific jail sshd
bantime = 1d
maxretry = 3

In the configuration above, a remote host will be banned from accessing the system for 1 day after 3 failed SSH login attempts. Save the changes and restart the fail2ban service.

# systemctl restart fail2ban

Next, verify the jail configuration status using the fail2ban-client command-line utility.

# fail2ban-client status

From the output, we can see that we have 1 jail configured for a service called ‘sshd’.

Step 6: Check status fail2ban

To gather insights on the client systems blocked check the jail status.

# fail2ban-client status sshd
Check Fail2ban Block Status

To unban or remove the client from the jail, execute the command:

# fail2ban-client unban 61.177.173.50

.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

eleven + 3 =