If you have a server or computer that is directly connected to the Internet, they are exposed to certain risk. Now any web server or VPS is a potential target for hacker attacks. A properly configured firewall can prevent many attacks. But you still need to leave open some services to have the ability to administer a server, such as SSH.
This Protocol is often the target of brute force. But fortunately there is a solution. The tool allows Fail2ban to block access from IP addresses with a large number of incorrect logins. The program fail2ban can be used not only for SSH, it can protect various forms of web authentication, FTP, and prevent DoS attacks on the server. In this article we will discuss how to install and configure Fail2ban CentOS 7 because this operating system often used for servers.
The program fail2ban is very often used to protect servers, so it is in the official repository of EPEL. To install the program first, add the repository:
yum update && sudo yum install epel-release
Then install fail2ban centos 7:
sudo yum install fail2ban
After installation will load the base configuration program, so so start protecting your server, start it using the system services control:
sudo systemctl start fail2ban
Configure fail2ban CentOS 7
All configuration files are in the folder /etc/fail2ban. Here are the main files that we will use:
- fail2ban.conf – an example of executing the main program settings;
- jail.conf – an example configuration deny rules;
- jail.d – folder with configuration files the user to customize the rules of the ban;
- action.d files that describe actions performed when you lock;
- filter.d – these files describe how the analysis of program logs for finding failed login attempts.
Any settings in the existing file can not be changed, they will be updated when updating the software, which means that all your changes will be erased. To set your settings, you need to create a file with the same name and extension .local. For example, create a file to configure a jail.conf:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
We can now change any settings that you don’t like in the main file. The configuration file is divided into sections depending on the purpose of options. In section [DEFAULT] are in General settings, followed by separate sections for each block separately. The default options are so bad work, but in some cases additional configuration may be very useful.
The lock can be configured using different parameters. Here are the most important ones are:
- ignoreip – specifies the list of ip addresses that should be excluded from Fail2ban algorithms. They will not be subject to restrictions, so choose them carefully. Ranges and IP addresses should be separated by a space. Here you can add local ip and your home address so that you will not have problems at the entrance;
- bantime – specifies the time for which the client is closed, the access server if it cannot log in in seconds;
- maxretry specifies the number of attempts before access is blocked;
- findtime is the time in seconds during which the maxretry is calculated.
In our example, the user will be blocked for 600 seconds after 5 unsuccessful attempts:
By default, in CentOS, all locks are disabled, to enable it replace the line enabled value to true. But it is not recommended to do so because you will have to remove from config all the unnecessary block rules, otherwise they will cause a start error. You can also include the processing of each application separately:
Next we need to configure actions for an injunction, and supported them with several options. As soon as you need to lock, the program decides on the basis of the following parameters:
- banaction – this parameter specifies the configuration file for the lock to be used. Usually indicates a file in the folder /etc/fail2ban/action.d/ which contains commands to lock. The default iptables;
- action – using the options action specify the labels of the additional action that is performed after the banaction. The script passes the name, port, Protocol, goal, and scenario.
Configuring Email alerts
If you want to configure the alarm Annunciation blocking Fail2ban via e-mail, it is also configured in the [DEFAULT] section. Only need to on your machine has been configured mail server and he could send mail to an external address. Otherwise all emails will be delivered to the local Linux account.
For tuning there are two parameters:
- destemail – this parameter specifies the email address to which you want to receive messages. The default value is [email protected];
- mta – specifies a mail agent that will be used for mail delivery. If you have Sendmail configured, leave the default value. If letters need to deliver to the local machine, change the value to mail.
- For local mail, you will need to replace the line action_mw on action_mwl:
Continue to check the mail, you can watch the file /var/mail/mail:
Configuring individual applications
Immediately after the partition settings by default, you will see sections marked like this: [application_name]. Consider the basic parameters used:
- filter – specifies the name of the file in the directory /etc/fail2ban/filter.d/ It tells the program how to analyze the log and find the failed login attempt;
- logpath – the path to the log file for the service, where it records a failed login attempt;
You can also override any of the default settings, for example, the maxretry and using the enabled parameter, you can enable only the necessary blockers. Default blocking rules not only for ssh but also for many other services, e.g., different authentication methods are http, ftp, authentication mail, and so on.
For example, to activate blocking of incorrect SSH inputs, power section [sshd] like the following:
Typically, no additional configuration for iptables is not required. But let’s look at the configuration file, which is responsible for blocking that you understand how everything works. The name of this file is specified in the banaction parameter. The default is iptables-multiport.conf:
Here we can see what comes after fail2ban decides what is necessary to block access to certain IP addresses. First, run the following iptables commands:
They are used for media traffic in the filter chain. Iptables controls traffic based on the circuits and each one can have a rule for all traffic that determine whether to skip or not. The first line creates a new chain with the name fail2ban-ServiceName. It will contain all deny rules for this ip address. The second line returns control to the chain causing this, and the third adds a rule to the primary circuit, which transfers control to our chain.
Thus, all incoming traffic from the right port is handled by our chain fail2ban-ServiceName. Now the first rule it sends traffic back to the calling chain, it means that the Board just passed us and back. But now we can add additional rules.
To break the chain use the following rules:
Now, when we need to ban the user program execute the command:
This command says that you must drop all packets from that ip address and not attempt to determine the authenticity of the data. When the time lock went out, she removed with the command:
If you want to understand what rules are currently used and which ip addresses are denied access, run in terminal:
Ending the configuration
When you complete the settings, save the changes to the configuration file and restart the fail2ban service. First check that the configuration is correct:
If everything is correct, restart the service:
sudo systemctl restart fail2ban
To test your rules, you can perform several login attempts with an incorrect username and password, for example, to the ssh service, if you have configured it as described in this article. When you reach the limit of requests your server will not even request a password. Then you can review the rules:
At the very bottom, in our chain, you can see the list of banned ip fail2ban. To unban any ip address is sufficient to remove.
In this article we looked at how you are configuring fail2ban CentOS 7. Now you can configure additional protection for your servers to protect it from breaking.