Fail2ban is an open-source & free intrusion prevention system. It’s used to protect the server system against brute-force attacks. Fail2ban monitors the SSH log files for authentication attempts continuously. It’s banned the client IP after a specified number of incorrect password attempts. It is also used for securing SSH, VSFTPD, Apache and Webmin. Today, we’ll learn how we can install and configure Fail2ban in AlmaLinux 9
Before starting the tutorial, ensure that your server is running with AlmaLinux 9 & you have the root access to install and configure Fail2ban in AlmaLinux 9 server.
Table of Contents
Step 01: Need to verify whether the Firewalld is installed/enabled or not:
Firewalld is a Firewall management tool that comes pre-installed in AlmaLinux 9.
systemctl status firewalld
If your firewall is running, it’ll show “active (running)”, & it’s not running, then it’ll show “inactive (dead)” under the Active section.
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
To start the Firewall service, use the following command.
systemctl start firewalld
Now, recheck the status using the following command.
systemctl status firewalld
The output should be like this:
● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago Docs: man:fail2ban(1) Main PID: 306465 (fail2ban-server) Tasks: 3 (limit: 204279) Memory: 10.9M CGroup: /system.slice/fail2ban.service └─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Now, watch all the services as list configured by the firewall using the following command:
The output will be like this:
public (active) target: default icmp-block-inversion: no interfaces: enp3s0 sources: services: cockpit dhcp dhcpv6-client ftp https imap imaps pop3 pop3s smtp smtps ssh ports: 21/tcp 22/tcp 25/tcp 53/tcp 80/tcp 143/tcp 443/tcp 465/tcp 993/tcp 3306/tcp 53/udp 587/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Step 02: Install Fail2ban:
The Fail2Ban package is not available in AlmaLinux 9 repositories. So, we need to install this from the EPEL repository.
Use the following command to install the EPEL repository.
dnf install epel-release -y
After installing the EPEL repository, we need to install the Fail2Ban by using the following command:
dnf install fail2ban fail2ban-firewalld -y
After installing the package, we need to activate & run it.
Step 03: Active & Enable the Fail2Ban Package:
Using the following command, we can activate the Fail2Ban in AlmaLinux 9:
systemctl start fail2ban
Time to enable the Fail2Ban by using this command:
systemctl enable fail2ban
Time to check whether the Fail2Ban is enabled or not!
systemctl status fail2ban
The output will show like this:
fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2023-09-19 17:49:15 UTC; 12s ago Docs: man:fail2ban(1) Main PID: 306465 (fail2ban-server) Tasks: 3 (limit: 204279) Memory: 10.9M CGroup: /system.slice/fail2ban.service └─306465 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Step 03: Configure Fail2Ban
The main configuration file name is jail.conf for Fail2Ban & located at /etc/fail2ban/. To configure the Fail2Ban, we’ll need to use this file.
It’s always safe to keep a backup of the default file.
Using the following command, we’ll keep the default file as a backup file. The name of this file will be jail.conf.back.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.back
As Fial2Ban uses the IPtables firewall, we need to enable the Firewalld support using the following command:
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
Now, we need to restart the Fail2Ban by using the following command:
systemctl restart fail2ban
Step 04: Secure SSH with Fail2Ban
Now, we need to configure Faild2Ban to block remote IPs. Here, we’ll create a jail configuration file to keep SSH secured using the following command:
Nano should be installed on your server. Otherwise, you may use vim.
Add the following lines in it:
[sshd] enabled = true maxretry = 3 bantime = 3h
- [ssh] is used to enable Fail2Ban for SSH.
- enable = true means this configuration is enabled.
- maxretry = 3 means the system will block any IP after three incorrect attempts.
- bantime = 3h means the blocked IP gets banned for 3 hours.
Now, we need to save the file using CTRL+O & Enter and close it using CTRL+X. Now, it is time to restart the Fail2Ban service.
systemctl restart fail2ban
We have to check whether the Fail2Ban is configured or not using the following command:
The output has to be:
Status |- Number of jail: 1 `- Jail list: sshd
Congratulations! We have successfully installed & configured Fail2Ban in AlmaLinux 9.
Some Useful Commands
To check banned IPs, use the following command:
fail2ban-client status sshd
|- Filter | |- Currently failed: 1 | |- Total failed: 33 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 3 |- Total banned: 4 `- Banned IP list: 184.108.40.206 220.127.116.11 18.104.22.168
To unban the IP Address, use the following command:
fail2ban-client unban <ip-address>
NB. These commands can be installed and configured Fail2Ban on any Red Hat Enterprise Linux (RHEL) based Linux distros.