Fail2Ban is a free and open-source Intrusion Prevention System (IPS) developed in Python. It is designed to safeguard your system from brute-force attacks by monitoring log files such as SSH for authentication attempts. If a predetermined number of incorrect password attempts are detected, Fail2Ban bans the offending client’s IP address. It can protect numerous services, including SSH, vsftpd, Apache, and Webmin.
This tutorial provides a step-by-step guide on installing the Fail2Ban firewall on Alma Linux 8.
Prerequisites
- A server running Alma Linux 8.
- Root access credentials configured on the server.
Verify Firewalld Installation
Alma Linux 8 typically comes with the Firewalld package pre-installed. Here’s how to verify if it’s running:
systemctl status firewalld
If Firewalld is not running, you might see output such as:
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Start the Firewalld service using:
systemctl start firewalld
Confirm the status with:
systemctl status firewalld
Active status output will resemble:
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2022-02-19 08:57:14 UTC; 40s ago
Docs: man:firewalld(1)
Main PID: 7214 (firewalld)
Tasks: 2 (limit: 23696)
Memory: 27.9M
CGroup: /system.slice/firewalld.service
??7214 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Feb 19 08:57:14 linux systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 19 08:57:14 linux systemd[1]: Started firewalld - dynamic firewall daemon.
To list all services configured by Firewalld, use:
firewall-cmd --list-all
Example output:
public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Install Fail2Ban
Fail2Ban is not available in the default Alma Linux repository. It must be installed via the EPEL repository:
dnf install epel-release -y
Subsequent to installing the EPEL repo, install Fail2Ban with:
dnf install fail2ban fail2ban-firewalld -y
Enable and start the Fail2Ban service:
systemctl start fail2ban
systemctl enable fail2ban
Verify the service status:
systemctl status fail2ban
The output should confirm it is active:
? fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2022-02-19 08:58:34 UTC; 6s ago
Docs: man:fail2ban(1)
Process: 7838 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 7840 (fail2ban-server)
Tasks: 3 (limit: 23696)
Memory: 10.8M
CGroup: /system.slice/fail2ban.service
??7840 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Feb 19 08:58:34 linux systemd[1]: Starting Fail2Ban Service...
Feb 19 08:58:34 linux systemd[1]: Started Fail2Ban Service.
Feb 19 08:58:35 linux fail2ban-server[7840]: Server ready
Configure Fail2Ban
The Fail2Ban configuration file is situated at /etc/fail2ban/jail.conf. It’s advisable to create a backup before modifying it:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
By default, Fail2Ban uses Iptables. For Firewalld support, execute:
mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
Apply changes by restarting the service:
systemctl restart fail2ban
Secure SSH with Fail2Ban
Fail2Ban requires configuration for each service to block remote IPs. For SSH, create a jail configuration:
nano /etc/fail2ban/jail.d/sshd.local
Add the following configuration:
# Blocks remote hosts for two hours after three failed attempts. [sshd] enabled = true bantime = 2h maxretry = 3
Save changes and restart SSH:
systemctl restart fail2ban
Verify the configuration with:
fail2ban-client status
Expected output showing the SSH jail:
Status |- Number of jail: 1 `- Jail list: sshd
To check for banned IPs within the SSH jail, use:
fail2ban-client status sshd
The terminal will list currently banned IPs:
Status for the jail: sshd |- Filter | |- Currently failed: 6 | |- Total failed: 15 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: 96.9.67.48 43.154.142.8
To manually unban an IP, enter:
fail2ban-client unban remote-ip-address
Conclusion
This guide demonstrated how to install and configure Fail2Ban on Alma Linux 8, focusing on securing SSH services. Implementing Fail2Ban provides effective protection against brute-force attacks in production environments.
FAQ
What is Fail2Ban?
Fail2Ban is an open-source tool that helps prevent brute-force attacks by monitoring system logs and banning suspicious IP addresses through the firewall.
Can Fail2Ban protect other services besides SSH?
Yes, Fail2Ban can be configured to secure other services like vsftpd, Apache, and Webmin among others.
How can I verify the list of banned IP addresses?
You can check the list of banned IPs for a particular jail with fail2ban-client status [jail-name].
How do I remove a banned IP address from the Fail2Ban list?
You can unban a specific IP address with fail2ban-client unban [remote-ip-address].
What should I do after updating the Fail2Ban configuration?
After updating any Fail2Ban configurations, make sure to restart the Fail2Ban service for changes to take effect using systemctl restart fail2ban.