Fail2Ban : Intrusion Prevention System2024/06/20

	Install and configure [Fail2Ban] that is the kind of Intrusion Detection System.
[1]	Install Fail2Ban.

# install from EPEL

[root@dlp ~]#

dnf --enablerepo=epel -y install fail2ban whois

[2]	The default configuration is defined in [/etc/fail2ban/jail.conf]. The default values may change with package updates, so if you want to change the settings, create a [jail.local] file and modify it.

[root@dlp ~]#

vi /etc/fail2ban/jail.conf

# line 87 : ignore your own local IP
#ignoreself = true

# line 92 : possible to add ignored networks
#ignoreip = 127.0.0.1/8 ::1

# line 101 : number of seconds that a host is banned
# - 1m ⇒ 1 minutes
# - 1h ⇒ 1 houer
# - 1d ⇒ 1 day
# - 1mo ⇒ 1 month
# - 1y ⇒ 1 year
bantime  = 10m

# line 105 : A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 10m

# line 108 : "maxretry" is the number of failures before a host get banned
maxretry = 5

# line 178 : destination email address if enabling email notification
destemail = root@localhost

# line 181 : sender address if enabling email notification
sender = root@<fq-hostname>

# line 263 : default action
# - %(action_)s ⇒ ban only
# - %(action_mw)s ⇒ band and email notification (includes Whois info)
# - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs)
action = %(action_)s

[root@dlp ~]#

vi /etc/fail2ban/jail.local

# create new
# possible to override the default values
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 1d
findtime  = 5m
maxretry = 5
destemail = root@localhost
sender = root@dlp.srv.world

[root@dlp ~]#

systemctl enable --now fail2ban

[3]	If you want to monitor services, add settings. (Default is unset) As an example, set the SSH as the service to be monitored.

[root@dlp ~]#

fail2ban-client status

Status
|- Number of jail:      0
`- Jail list:

[root@dlp ~]#

vi /etc/fail2ban/jail.d/sshd.conf

# create new
[sshd]
enabled = true

# possible to override the default values by service
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

[root@dlp ~]#

systemctl reload fail2ban

# show status

[root@dlp ~]#

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# some hosts that exceed the threshold are banned

[root@dlp ~]#

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     6
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.203

# actual ban action is controlled by Firewalld

[root@dlp ~]#

firewall-cmd --list-rich-rules

rule family="ipv4" source address="10.0.0.203" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

# if enabled email notifications, you will receive the following email

[root@dlp ~]#

mail

s-nail version v14.9.22.  Type `?' for help
/var/spool/mail/root: 3 messages 1 new 2 unread
 U  1 Fail2Ban              2024-06-20 16:05   21/546   "[Fail2Ban] sshd: start"
    2 Fail2Ban              2024-06-20 16:06   27/665   "[Fail2Ban] sshd: banne"
N  3 Fail2Ban              2024-06-20 16:10   92/3367  "[Fail2Ban] sshd: banne"
& 3
[-- Message  3 -- 92 lines, 3367 bytes --]:
Subject: [Fail2Ban] sshd: banned 10.0.0.203 from dlp.srv.world
Date: Thu, 20 Jun 2024 16:10:51 +0900
From: Fail2Ban <sender = root@dlp.srv.world>
To: root@localhost
Message-Id: <20240620071051.98B32301E337@dlp.srv.world>

Hi,

The IP 10.0.0.203 has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 10.0.0.203 :
.....
.....

[4]	If you want to manually add or remove banned hosts, run the following.

[root@dlp ~]#

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     12
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   10.0.0.203

# unban [10.0.0.203]

[root@dlp ~]#

fail2ban-client set sshd unbanip 10.0.0.203

[root@dlp ~]#

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     12
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     2
   `- Banned IP list:

# ban [10.0.0.192/28]

[root@dlp ~]#

fail2ban-client set sshd banip 10.0.0.192/28

[root@dlp ~]#

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     12
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     3
   `- Banned IP list:   10.0.0.192/28

# to remove all banned hosts, run like follows

[root@dlp ~]#

fail2ban-client unban --all

[5]	[jail.conf] has many predefined services other than SSH, so you can set them as monitoring targets by specifying the definition name.

[root@dlp ~]#

grep '^\[' /etc/fail2ban/jail.conf | tail -n +3

[sshd]
[dropbear]
[selinux-ssh]
[apache-auth]
[apache-badbots]
[apache-noscript]
[apache-overflows]
[apache-nohome]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
.....
.....

# for example, set up Apache2 Basic authentication

[root@dlp ~]#

vi /etc/fail2ban/jail.d/apache-auth.conf

# create new

[apache-auth]
enabled = true
bantime  = 600
findtime  = 3m
maxretry = 5
action = %(action_mw)s

# for example, set up Vsftpd

[root@dlp ~]#

vi /etc/fail2ban/jail.d/vsftpd.conf

# create new

[vsftpd]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=vsftpd.service
action = %(action_mw)s

# for example, set up Postfix SASL

[root@dlp ~]#

vi /etc/fail2ban/jail.d/postfix-sasl.conf

# create new

[postfix-sasl]
enabled = true
action = %(action_mw)s

[root@dlp ~]#

systemctl reload fail2ban

[root@dlp ~]#

fail2ban-client status

Status
|- Number of jail:      4
`- Jail list:   apache-auth, postfix-sasl, sshd, vsftpd

# verify settings by failing authentication manually

[root@dlp ~]#

fail2ban-client status apache-auth

Status for the jail: apache-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     10
|  `- File list:        /var/log/httpd/error_log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   10.0.0.5

[root@dlp ~]#

fail2ban-client status vsftpd

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- Journal matches:  _SYSTEMD_UNIT=vsftpd.service
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   10.0.0.203

Matched Content