How to Install and Configure Fail2Ban in AlmaLinux 9

Fail2ban is an open-source & free intrusion prevention system. It’s used to protect the server system against brute-force attacks. Fail2ban monitors the SSH log files for authentication attempts continuously. It’s banned the client IP after a specified number of incorrect password attempts. It is also used for securing SSH, VSFTPD, Apache and Webmin. Today, we’ll learn how we can install and configure Fail2ban in AlmaLinux 9

Before starting the tutorial, ensure that your server is running with AlmaLinux 9 & you have the root access to install and configure Fail2ban in AlmaLinux 9 server.

Step 01: Need to verify whether the Firewalld is installed/enabled or not:

Firewalld is a Firewall management tool that comes pre-installed in AlmaLinux 9.

systemctl status firewalld

If your firewall is running, it’ll show “active (running)”, & it’s not running, then it’ll show “inactive (dead)” under the Active section.

● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

To start the Firewall service, use the following command.

systemctl start firewalld

Now, recheck the status using the following command.

systemctl status firewalld

The output should be like this:

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago
     Docs: man:fail2ban(1)
 Main PID: 306465 (fail2ban-server)
    Tasks: 3 (limit: 204279)
   Memory: 10.9M
   CGroup: /system.slice/fail2ban.service
           └─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Now, watch all the services as list configured by the firewall using the following command:

firewall-cmd --list-all

The output will be like this:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources: 
  services: cockpit dhcp dhcpv6-client ftp https imap imaps pop3 pop3s smtp smtps ssh
  ports: 21/tcp 22/tcp 25/tcp 53/tcp 80/tcp 143/tcp 443/tcp 465/tcp 993/tcp 3306/tcp 53/udp 587/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Step 02: Install Fail2ban:

The Fail2Ban package is not available in AlmaLinux 9 repositories. So, we need to install this from the EPEL repository.

Use the following command to install the EPEL repository.

dnf install epel-release -y

After installing the EPEL repository, we need to install the Fail2Ban by using the following command:

dnf install fail2ban fail2ban-firewalld -y

After installing the package, we need to activate & run it.

Step 03: Active & Enable the Fail2Ban Package:

Using the following command, we can activate the Fail2Ban in AlmaLinux 9:

systemctl start fail2ban

Time to enable the Fail2Ban by using this command:

systemctl enable fail2ban

Time to check whether the Fail2Ban is enabled or not!

systemctl status fail2ban

The output will show like this:

 fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago
     Docs: man:fail2ban(1)
 Main PID: 306465 (fail2ban-server)
    Tasks: 3 (limit: 204279)
   Memory: 10.9M
   CGroup: /system.slice/fail2ban.service
           └─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Step 03: Configure Fail2Ban

The main configuration file name is jail.conf for Fail2Ban & located at /etc/fail2ban/. To configure the Fail2Ban, we’ll need to use this file.

It’s always safe to keep a backup of the default file.

Using the following command, we’ll keep the default file as a backup file. The name of this file will be jail.conf.back.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.back

As Fial2Ban uses the IPtables firewall, we need to enable the Firewalld support using the following command:

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

Now, we need to restart the Fail2Ban by using the following command:

systemctl restart fail2ban

Step 04: Secure SSH with Fail2Ban

Now, we need to configure Faild2Ban to block remote IPs. Here, we’ll create a jail configuration file to keep SSH secured using the following command:

Nano should be installed on your server. Otherwise, you may use vim.

nano /etc/fail2ban/jail.d/sshd.local

Add the following lines in it:

[sshd]
enabled = true
maxretry = 3
bantime = 3h

Here,

• [ssh] is used to enable Fail2Ban for SSH.
• enable = true means this configuration is enabled.
• maxretry = 3 means the system will block any IP after three incorrect attempts.
• bantime = 3h means the blocked IP gets banned for 3 hours.

Now, we need to save the file using CTRL+O & Enter and close it using CTRL+X. Now, it is time to restart the Fail2Ban service.

systemctl restart fail2ban

We have to check whether the Fail2Ban is configured or not using the following command:

fail2ban-client status 

The output has to be:

Status
|- Number of jail:	1
`- Jail list:	sshd

Congratulations! We have successfully installed & configured Fail2Ban in AlmaLinux 9.

Some Useful Commands

To check banned IPs, use the following command:

fail2ban-client status sshd

Output:

|- Filter
|  |- Currently failed:	1
|  |- Total failed:	33
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	3
   |- Total banned:	4
   `- Banned IP list:	95.214.55.115 114.241.102.79 218.92.0.102

To unban the IP Address, use the following command:

fail2ban-client unban <ip-address> 

NB. These commands can be installed and configured Fail2Ban on any Red Hat Enterprise Linux (RHEL) based Linux distros.