Fail2ban is a free and open-source Intrusion Prevention System (IPS) that protects the server against brute-force attacks.
After a specified number of incorrect password attempts, the client’s IP address is banned from accessing the system for a specified period or until the system administrator unblocks it. This way, the system is safeguarded from repeated brute-force attacks from a single host.
Fail2ban is highly configurable and can be set up to secure a myriad of services such as SSH, vsftpd, Apache, and Webmin.
Step 1: Ensure Firewalld is Running
By default, Almalinux / Rocky comes with Firewalld running. However, if this is not the case on your system, start Firewalld by executing:
# sudo systemctl start firewalld
Then enable it to start on boot time:
# systemctl enable firewalld
Then verify the status of Firewalld
# systemctl status firewalld
In addition, you can confirm all the Firewalld rules currently being enforced using the command:
# firewall-cmd --list-all
Step 2: Install EPEL in Almalinux
As a requirement for the installation of fail2ban and other requisite packages, you need to install the EPEL repository which provides additional high-quality packages for RHEL-based distributions.
# dnf install epel-release
Step 3: Install Fail2ban in AlmaLinux
With EPEL installed, proceed and install fail2ban package.
# dnf install fail2ban
This installs the fail2ban server and the firewalld component along with other dependencies.
With the installation of fail2ban complete, start the fail2ban service.
# systemctl start fail2ban
And enable it to start on boot time.
# systemctl enable fail2ban
You can verify the status of the fail2ban service by running the command:
# systemctl status fail2ban
The output is a confirmation that Fail2ban is running as we would expect.
Step 4: Configuring Fail2ban in AlmaLinux
Moving on, we need to configure fail2ban for it to work as intended. Ideally, we would edit the main configuration file – /etc/fail2ban/jail.conf. However, this is discouraged. As a workaround will copy the contents of the jail.conf configuration file to jail.local file.
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, open the jail.local file using your preferred editor.
# vi /etc/fail2ban/jail.local
Under the [DEFAULT] section, ensure you have the following settings as they appear.
bantime = 1h findtime = 1h maxretry = 3
Let us define the attributes:
- The bantime directive specifies the duration of time that a client will be banned following failed authentication attempts.
- The findtime directive is the duration or period within which fail2ban will consider when considering repeated incorrect password attempts.
- The maxretry parameter is the maximum number of incorrect password attempts before the remote client is blocked from accessing the server. Here, the client will be locked out after 5 authentication failures.
By default, fail2ban works with iptables. However, this has been deprecated in favor of the firewalld. We need to configure fail2ban to work alongside firewalld instead of iptables.
So, run with the command:
# mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
To apply the changes, restart fail2ban:
# systemctl restart fail2ban
Step 5: Securing SSH service with Fail2ban
By default, fail2ban does not block any remote host until you enable jail configuration for a service that you wish to secure. The jail configuration is specified in the /etc/fail2ban/jail.d path and will override the configuration specified in the jail.local file.
In this example, we will create a jail configuration file to protect the SSH service. Therefore, create the SSH jail file.
# vi /etc/fail2ban/jail.d/sshd.local
Next, paste the following lines:
[sshd] enabled = true # Override the default global configuration # for specific jail sshd bantime = 1d maxretry = 3
In the configuration above, a remote host will be banned from accessing the system for 1 day after 3 failed SSH login attempts. Save the changes and restart the fail2ban service.
# systemctl restart fail2ban
Next, verify the jail configuration status using the fail2ban-client command-line utility.
# fail2ban-client status
From the output, we can see that we have 1 jail configured for a service called ‘sshd’.
Step 6: Check status fail2ban
To gather insights on the client systems blocked check the jail status.
# fail2ban-client status sshd
To unban or remove the client from the jail, execute the command:
# fail2ban-client unban 188.8.131.52