Fail2ban is an open-source & free intrusion prevention system. It’s used to protect the server system against brute-force attacks. Fail2ban monitors the SSH log files for authentication attempts continuously. It’s banned the client IP after a specified number of incorrect password attempts. It is also used for securing SSH, VSFTPD, Apache and Webmin. Today, we’ll learn how we can install and configure Fail2ban in AlmaLinux 9
Before starting the tutorial, ensure that your server is running with AlmaLinux 9 & you have the root access to install and configure Fail2ban in AlmaLinux 9 server.
Table of Contents
Step 01: Need to verify whether the Firewalld is installed/enabled or not:
Firewalld is a Firewall management tool that comes pre-installed in AlmaLinux 9.
systemctl status firewalldIf your firewall is running, it’ll show “active (running)”, & it’s not running, then it’ll show “inactive (dead)” under the Active section.
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)To start the Firewall service, use the following command.
systemctl start firewalldNow, recheck the status using the following command.
systemctl status firewalldThe output should be like this:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago
Docs: man:fail2ban(1)
Main PID: 306465 (fail2ban-server)
Tasks: 3 (limit: 204279)
Memory: 10.9M
CGroup: /system.slice/fail2ban.service
└─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf startNow, watch all the services as list configured by the firewall using the following command:
firewall-cmd --list-allThe output will be like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: cockpit dhcp dhcpv6-client ftp https imap imaps pop3 pop3s smtp smtps ssh
ports: 21/tcp 22/tcp 25/tcp 53/tcp 80/tcp 143/tcp 443/tcp 465/tcp 993/tcp 3306/tcp 53/udp 587/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: Step 02: Install Fail2ban:
The Fail2Ban package is not available in AlmaLinux 9 repositories. So, we need to install this from the EPEL repository.
Use the following command to install the EPEL repository.
dnf install epel-release -yAfter installing the EPEL repository, we need to install the Fail2Ban by using the following command:
dnf install fail2ban fail2ban-firewalld -yAfter installing the package, we need to activate & run it.
Step 03: Active & Enable the Fail2Ban Package:
Using the following command, we can activate the Fail2Ban in AlmaLinux 9:
systemctl start fail2banTime to enable the Fail2Ban by using this command:
systemctl enable fail2banTime to check whether the Fail2Ban is enabled or not!
systemctl status fail2banThe output will show like this:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago
Docs: man:fail2ban(1)
Main PID: 306465 (fail2ban-server)
Tasks: 3 (limit: 204279)
Memory: 10.9M
CGroup: /system.slice/fail2ban.service
└─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf startStep 03: Configure Fail2Ban
The main configuration file name is jail.conf for Fail2Ban & located at /etc/fail2ban/. To configure the Fail2Ban, we’ll need to use this file.
It’s always safe to keep a backup of the default file.
Using the following command, we’ll keep the default file as a backup file. The name of this file will be jail.conf.back.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backAs Fial2Ban uses the IPtables firewall, we need to enable the Firewalld support using the following command:
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.localNow, we need to restart the Fail2Ban by using the following command:
systemctl restart fail2banStep 04: Secure SSH with Fail2Ban
Now, we need to configure Faild2Ban to block remote IPs. Here, we’ll create a jail configuration file to keep SSH secured using the following command:
Nano should be installed on your server. Otherwise, you may use vim.
nano /etc/fail2ban/jail.d/sshd.localAdd the following lines in it:
[sshd]
enabled = true
maxretry = 3
bantime = 3hHere,
- [ssh] is used to enable Fail2Ban for SSH.
- enable = true means this configuration is enabled.
- maxretry = 3 means the system will block any IP after three incorrect attempts.
- bantime = 3h means the blocked IP gets banned for 3 hours.
Now, we need to save the file using CTRL+O & Enter and close it using CTRL+X. Now, it is time to restart the Fail2Ban service.
systemctl restart fail2banWe have to check whether the Fail2Ban is configured or not using the following command:
fail2ban-client status The output has to be:
Status
|- Number of jail: 1
`- Jail list: sshdCongratulations! We have successfully installed & configured Fail2Ban in AlmaLinux 9.
Some Useful Commands
To check banned IPs, use the following command:
fail2ban-client status sshdOutput:
|- Filter
| |- Currently failed: 1
| |- Total failed: 33
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 4
`- Banned IP list: 95.214.55.115 114.241.102.79 218.92.0.102To unban the IP Address, use the following command:
fail2ban-client unban <ip-address> NB. These commands can be installed and configured Fail2Ban on any Red Hat Enterprise Linux (RHEL) based Linux distros.
0 Comments