Protecting the server from possible attacks is a basic task of any sysadmin. This is not as easy as it seems but it is possible if you learn how to install and configure Fail2ban on CentOS 8. The following guide will be very useful for this purpose.
Fail2ban is a Python tool that scans log files like
/var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time.
By default, Fail2ban is considered Out-the-box as it includes some settings that allow it to read many log files and apply protection rules.
Widely used by many sysadmins, Fail2ban can reduce the risk of SSH attacks although the developers caution that other security measures are required to be truly protected. However, with Fail2ban we can have another layer of security and make the server a little more secure.
One detail that cannot be overlooked is that Fail2ban is opensource so you can be sure that its source code does not contain backdoors or malicious code.
Despite its popularity, Fail2ban is not included in the official CentOS 8 repositories. However, this is not a problem to install it.
So, in a terminal environment, try to update the operating system
sudo dnf update
Fail2ban is present in the EPEL repository. This repository although external to CentOS 8 is considered by many as a fundamental repository because of the large number of packages it has. Also, it is considered quite secure and will help us with this process.
So, add it to the running system.
sudo dnf install epel-release
Once the package is installed and the repository is added to the system, we can install Fail2ban:
sudo dnf install fail2ban
Fail2ban is handled as a system service, so we have to start it with the command systemctl
sudo systemctl start fail2ban
It is a good idea to start it with the system as another service.
sudo systemctl enable fail2ban
And you can check the status of the service to see if it has been started correctly.
sudo systemctl status fail2ban
Now with Fail2ban installed, we can configure it according to our needs.
Before performing some configurations it is convenient to know a few things about how Fail2ban manages its configuration files.
By default, the directory where the Fail2ban configuration files reside is
/etc/fail2ban/ and there will be two files that we do not have to modify,
Therefore, the recommended way to make configurations is to copy the entire contents of
jail.conf into a file called
jail.local in the same directory. This is because the
.local files will overwrite the
.conf files. It is also possible to create the file from the scratch.
Whether you copy the contents of
jail.conf or start from scratch you can add your own settings.
For example, some basic configurations to do with Fail2ban can be:
- Bantime: Time in seconds that the IP will be banned.
- Maxretry: Number of retries allowed before being banned.
- Findtime: If the host makes the
maxretryin the amount of time expressed in
findtime, then it will be banned.
- Banaction: Action that the system will do when banning the host.
- Backend: Where fail2ban logs are taken from.
Also with the
ignoreip value you can define an IP address or a range that Fail2ban will ignore.
One of the most important services to protect is SSH. To do so, you can add to the configuration file
jail.local the value
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log
This way, you can protect SSH quickly and easily.
To apply all changes, restart the Fail2ban service.
sudo systemctl restart fail2ban
In this post, you have learned how to configure Fail2ban to further secure your server from attacks against system services. You can consult the official Fail2ban documentation where you can find many different configurations.