Install Fail2ban on CentOS 7 & 8

Objective:

Ban all IPs that have failed logins by matching a certain policies. Here’s a screenshot of this app in action:

CentOS 8:
# Install
dnf install -y epel-release
dnf install -y fail2ban

# Configure to ban for 1 hour if ssh logins are incorrect 3 times in a row
localSubnets=$(ip -o -f inet addr show | awk '/scope global/ {print $4}')
function joinVariables { local IFS="$1"; shift; echo "$*"; }
cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT] 
ignoreip = $(joinVariables , $localSubnets)
bantime  = 3600
findtime  = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd

[sshd] 
enabled = true
EOF

# Set startup
systemctl start fail2ban
systemctl enable fail2ban
systemctl status fail2ban

# Validate that an IP is banned
ip=106.12.38.105
fail2ban-client status sshd | grep $ip

# Unban
$ip=x.x.x.x
fail2ban-client unban $ip
CentOS 7:

Install Fail2Ban

yum install epel-release -y
yum install fail2ban -y

Configure permanent bans

# Find IP of current connections
netstat -natp
 
vim /etc/fail2ban/jail.conf
 
### Set this ###
# "bantime" is the number of seconds that a host is banned.
# bantime  = 600 # 10 minutes

# Permanent ban
bantime = -1

# set IgnoreIP
ignoreip = 127.0.0.1/8 [otherNetworksHere]

# It's also recommended to ignore any other subnets that are trusted to to access this server
################
vim /etc/fail2ban/action.d/iptables-multiport.conf
 
##### Set Action Start #####

actionstart = iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Add these lines to load iptables:
         cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
         | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
#
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Add this line - including the tab indent
   echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
#
#########################
vim /etc/fail2ban/jail.local
 
#### insert these lines ####

[DEFAULT]
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport


[sshd]
enabled = true
banaction = iptables-multiport
bantime = -1 # or the number of seconds
maxretry = 0
# port = 22 # optional

# insert other services as needed
########
# Alternative configuration for temporary bans
vim /etc/fail2ban/jail.local
 
#### insert these lines ####
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
########
Restart fail2ban
 
systemctl restart fail2ban
Check current bans
 
fail2ban-client status sshd
Set Fail2Ban Autostart
 
[rambo@testbox ~]# systemctl enable fail2ban
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.

How to Unban an IP

# Find jail name of a specific IP on CentOS 7
iptables -n -L --line-numbers | grep $ip

# Sample output
131  REJECT     all  --  100.2.151.232        0.0.0.0/0            reject-with icmp-port-unreachable

# 131 is the jail name.
[admin@server ~]iptables -D fail2ban-jailname 131

# Unban IP from correct jail
fail2ban-client set sshd unbanip 172.17.0.4

Leave a Reply

Your email address will not be published. Required fields are marked *