Key points
This article will share information related to the following tasks:
- Installing Fail2Ban and the steps involved.
- Configuring Fail2Ban and understanding the parameters used.
- Activating Firewalld support.
- Securing the SSH service with Fail2Ban.
- Testing your Fail2Ban configuration.
- Uninstalling or removing Fail2Ban.
About this Fail2Ban install tutorial
Fail2Ban is a powerful and widely-used security tool designed to enhance the security of Linux systems by protecting against malicious activities such as brute-force attacks and other unauthorized access attempts. In this article, we'll walk you through installing Fail2Ban on an AlmaLinux system, providing an additional layer of defense against potential security threats.
Overview of Linux Fail2Ban setup
You can start the Fail2Ban installation on AlmaLinux by following the below steps.
Prerequisites
Here are the prerequisites to consider before you begin the Fail2Ban install:
- Confirm that your operating system and version is AlmaLinux OS 8.
- Ensure you have root or sudo access to install and configure Fail2Ban on AlmaLinux.
Step #1. Ensure Firewalld is running
The Firewalld package is preinstalled by default on AlmaLinux. First, check whether it is running or not. You can check the Firewalld service status using the following command:
sudo systemctl status firewalldIf the Firewalld service isn't running, the following output will be displayed:
]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)Now, start the Firewalld service using the following command:
sudo systemctl start firewalldAfter that, verify the status of the Firewalld service:
sudo systemctl status firewalldHere is the output:
]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2023-11-25 02:05:29 UTC; 2s ago
     Docs: man:firewalld(1)
 Main PID: 10017 (firewalld)
    Tasks: 2 (limit: 11852)
   Memory: 35.8M
   CGroup: /system.slice/firewalld.service
           └─10017 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started firewalld - dynamic firewall daemon.Now, use the following command to list all services configured by Firewalld:
sudo firewall-cmd --list-allHere is the output:
]# sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: Step #2. Update the system
Before you proceed with Fail2Ban installation, ensure your system is up-to-date. To update your package lists and upgrade existing packages, use the following commands:
sudo dnf updateStep #3. Install EPEL
The Fail2Ban package is unavailable by default in the AlmaLinux default repo. As a result, you'll need to install it from the EPEL repository. You can install the EPEL repo using the following command:
sudo dnf install epel-releaseStep #4. Install Fail2Ban
After installing the EPEL repo, use the following command to install the Fail2Ban firewall and the fail2ban-firewalld package:
sudo dnf install fail2ban fail2ban-firewalldHere is the output:
]# sudo dnf install fail2ban fail2ban-firewalld
Extra Packages for Enterprise Linux 8 - x86_64                                                                                                                                                                 27 MB/s |  16 MB     00:00    
Last metadata expiration check: 0:00:06 ago on Sat 25 Nov 2023 02:07:48 AM UTC.
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                          Architecture                               Version                                                                      Repository                                     Size
==============================================================================================================================================================================================================================================
Installing:
 fail2ban                                                         noarch                                     1.0.2-3.el8                                                                  epel                                           21 k
 fail2ban-firewalld                                               noarch                                     1.0.2-3.el8                                                                  epel                                           21 k
Installing dependencies:
 esmtp                                                            x86_64                                     1.2-15.el8                                                                   epel                                           57 k
 fail2ban-selinux                                                 noarch                                     1.0.2-3.el8                                                                  epel                                           41 k
 fail2ban-sendmail                                                noarch                                     1.0.2-3.el8                                                                  epel                                           23 k
 fail2ban-server                                                  noarch                                     1.0.2-3.el8                                                                  epel                                          478 k
 libesmtp                                                         x86_64                                     1.0.6-18.el8                                                                 epel                                           70 k
 liblockfile                                                      x86_64                                     1.14-2.el8                                                                   baseos                                         31 k
 policycoreutils-python-utils                                     noarch                                     2.9-24.el8                                                                   baseos                                        253 k
 python3-pip                                                      noarch                                     9.0.3-23.el8                                                                 appstream                                      19 k
 python3-setuptools                                               noarch                                     39.2.0-7.el8                                                                 baseos                                        162 k
 python36                                                         x86_64                                     3.6.8-38.module_el8.5.0+2569+5c5719bc                                        appstream                                      18 k
Enabling module streams:
 python36                                                                                                    3.6                                                                                                                             
Transaction Summary
==============================================================================================================================================================================================================================================
Install  12 Packages
Total download size: 1.2 M
Installed size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/12): liblockfile-1.14-2.el8.x86_64.rpm                                                                                                                                                                     3.7 MB/s |  31 kB     00:00    
(2/12): python3-pip-9.0.3-23.el8.noarch.rpm                                                                                                                                                                   3.5 MB/s |  19 kB     00:00    
(3/12): python3-setuptools-39.2.0-7.el8.noarch.rpm                                                                                                                                                            8.9 MB/s | 162 kB     00:00    
(4/12): policycoreutils-python-utils-2.9-24.el8.noarch.rpm                                                                                                                                                     11 MB/s | 253 kB     00:00    
(5/12): python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64.rpm                                                                                                                                             1.7 MB/s |  18 kB     00:00    
(6/12): esmtp-1.2-15.el8.x86_64.rpm                                                                                                                                                                           980 kB/s |  57 kB     00:00    
(7/12): fail2ban-selinux-1.0.2-3.el8.noarch.rpm                                                                                                                                                               4.8 MB/s |  41 kB     00:00    
(8/12): fail2ban-sendmail-1.0.2-3.el8.noarch.rpm                                                                                                                                                              2.7 MB/s |  23 kB     00:00    
(9/12): fail2ban-firewalld-1.0.2-3.el8.noarch.rpm                                                                                                                                                             161 kB/s |  21 kB     00:00    
(10/12): fail2ban-1.0.2-3.el8.noarch.rpm                                                                                                                                                                      138 kB/s |  21 kB     00:00    
(11/12): libesmtp-1.0.6-18.el8.x86_64.rpm                                                                                                                                                                     3.0 MB/s |  70 kB     00:00    
(12/12): fail2ban-server-1.0.2-3.el8.noarch.rpm                                                                                                                                                               3.2 MB/s | 478 kB     00:00    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                         2.2 MB/s | 1.2 MB     00:00     
Extra Packages for Enterprise Linux 8 - x86_64                                                                                                                                                                1.6 MB/s | 1.6 kB     00:00    
—---
—---
Installed:
  esmtp-1.2-15.el8.x86_64      fail2ban-1.0.2-3.el8.noarch   fail2ban-firewalld-1.0.2-3.el8.noarch          fail2ban-selinux-1.0.2-3.el8.noarch fail2ban-sendmail-1.0.2-3.el8.noarch   fail2ban-server-1.0.2-3.el8.noarch                   
  libesmtp-1.0.6-18.el8.x86_64 liblockfile-1.14-2.el8.x86_64 policycoreutils-python-utils-2.9-24.el8.noarch python3-pip-9.0.3-23.el8.noarch     python3-setuptools-39.2.0-7.el8.noarch python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64
Complete!Once the Fail2Ban installation is complete, use the following commands to start and enable the Fail2Ban service:
sudo systemctl start fail2ban
sudo systemctl enable fail2banYou can use the following command to check the Fail2Ban service's status:
sudo systemctl status fail2banHere is the output:
]# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-11-25 02:10:29 UTC; 10s ago
     Docs: man:fail2ban(1)
 Main PID: 11425 (fail2ban-server)
    Tasks: 3 (limit: 11852)
   Memory: 10.8M
   CGroup: /system.slice/fail2ban.service
           └─11425 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting Fail2Ban Service...
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started Fail2Ban Service.
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal fail2ban-server[11425]: Server readyStep #5. Configuring Fail2Ban
The main configuration file for Fail2Ban is found at /etc/fail2ban/jail.conf. It has a section where settings for Fail2Ban can be defined; we are not changing this file because a package upgrade may replace it.
So, first, create a custom Fail2Ban configuration file, /etc/fail2ban/jail.local. This is the file where customizations to Fail2Ban's settings should occur. Copying from jail.conf to jail.local isn't a backup. Rather, it's an essential step to further customize and configure Fail2Ban according to specific needs.
By default, this /etc/fail2ban/jail.local file does not exist, but Fail2Ban will look for it and read its contents if it exists:
touch /etc/fail2ban/jail.localThen, open the jail.local file using your favorite text editor:
sudo nano /etc/fail2ban/jail.localAdd the following contents, and save the file:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1h
findtime = 1h
maxretry = 55.1. The Ignore IP Address (ignoreip) parameter
Thw ignoreip parameter provides a list of IP addresses that Fail2Ban should ignore. This scenario configures it to ignore loopback addresses (127.0.0.1 for IPv4 and ::1 for IPv6). So, any attempts originating from these IP addresses will not be blocked.
5.2. The Ban Time (bantime) parameter
The bantime parameter specifies the duration an IP address will be banned if it exceeds the maximum number of allowed login attempts (maxretry) within the defined findtime.
5.3. The Find Time (findtime) parameter
The findtime parameter sets the time window during which Fail2Ban monitors for repeated login failures.
5.4. The Max Retry (maxretry) parameter
The maxretry parameter defines the maximum number of login failures allowed within the specified findtime before Fail2Ban takes action.
5.5. Activating Firewalld support
Fail2Ban uses the iptables firewall by default (opens in a new tab). To activate Firewalld support (opens in a new tab), use the following command:
sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local5.6. Restarting the Fail2Ban service
Then, restart the Fail2Ban service to apply the changes:
sudo systemctl restart fail2banStep #6. Securing the SSH service with Fail2Ban
Fail2Ban does not block any remote hosts by default unless you enable jail configuration for a service that you want to secure. The jail's configuration is located in the /etc/fail2ban/jail.d file and takes control of the jail.local file.
To secure the SSH service, use the following command to generate a jail configuration file for SSH:
sudo nano /etc/fail2ban/jail.d/sshd.localThen, paste the following lines:
# This configuration will block the remote host for 3 hours after 3 failed SSH login attempts. 
[sshd]
enabled = true
bantime = 3h
maxretry = 3When you're finished, save and close the file, then restart the SSH service to reflect the changes:
sudo systemctl restart fail2banNext, use the fail2ban-client command-line tool to verify the jail configuration status:
sudo fail2ban-client statusHere is the output:
]# sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshdUse the following command to check the SSH jail for any banned IP addresses:
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:	sshd
[root@ip-172-31-27-69 ~]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	If you want to unban the IP address manually, use the following command:
sudo fail2ban-client unban remote-ip-addressAdditionally, you can use the get option to verify the sshd jail's maxretry value.
sudo fail2ban-client get sshd maxretryHere is the output:
]# sudo fail2ban-client get sshd maxretry
3The value three displayed should correspond to the value you provided in the sshd.local file. If you want to understand more about how to proceed with the Fail2Ban installation on Ubuntu, please read the article How to install and configure Fail2Ban on Ubuntu Server 16.04 (opens in a new tab).
Step #7. Testing your Fail2Ban configuration
After configuring Fail2Ban and establishing a jail configuration file for the SSH service, we'll run a test and simulate three failed logins by entering an incorrect password for each password prompt. So, go to a remote Linux system and try to log in using the incorrect password. After three failed attempts, the connection is disconnected, and any subsequent attempts to reconnect are prevented until the ban time expires:
admin@noufal ~]# ssh sample_user@192.168.2.103
sample_user@192.168.2.103's password: 
Permission denied, please try again.
sample_user@192.168.2.103's password: 
Permission denied, please try again.
sample_user@192.168.2.103's password: 
sample_user@192.168.2.103: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
admin@noufal ~]#Check the jail's status to learn more about the restricted client systems:
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	3
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	192.168.2.105Use the following command to unban or remove the client from the jail:
sudo fail2ban-client unban 192.168.2.105Here is the output:
]# sudo fail2ban-client unban 192.168.2.105
1Recheck the jail status to ensure the client is not on the banned IP list.
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	3
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	0
   |- Total banned:	1
   `- Banned IP list:	How to uninstall or remove Fail2Ban
To uninstall Fail2Ban, use the following command:
sudo dnf remove fail2banHere is the output:
]# sudo dnf remove fail2ban
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                         Architecture                                         Version                                                     Repository                                             Size
==============================================================================================================================================================================================================================================
Removing:
 fail2ban                                                        noarch                                               1.0.2-3.el8                                                 @epel                                                   0  
Removing unused dependencies:
 esmtp                                                           x86_64                                               1.2-15.el8                                                  @epel                                                 100 k
 fail2ban-sendmail                                               noarch                                               1.0.2-3.el8                                                 @epel                                                  12 k
 libesmtp                                                        x86_64                                               1.0.6-18.el8                                                @epel                                                 160 k
 liblockfile                                                     x86_64                                               1.14-2.el8                                                  @baseos                                                51 k
Transaction Summary
==============================================================================================================================================================================================================================================
Remove  5 Packages
Freed space: 323 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                      1/1 
  Erasing          : fail2ban-1.0.2-3.el8.noarch                                                                                                                                                                                          1/5 
  Erasing          : fail2ban-sendmail-1.0.2-3.el8.noarch                                                                                                                                                                                 2/5 
  Running scriptlet: esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              3/5 
  Erasing          : esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              3/5 
  Erasing          : libesmtp-1.0.6-18.el8.x86_64                                                                                                                                                                                         4/5 
  Erasing          : liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 
  Running scriptlet: liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 
  Verifying        : esmtp-1.2-15.el8.x86_64                                                                                                                                                                                              1/5 
  Verifying        : fail2ban-1.0.2-3.el8.noarch                                                                                                                                                                                          2/5 
  Verifying        : fail2ban-sendmail-1.0.2-3.el8.noarch                                                                                                                                                                                 3/5 
  Verifying        : libesmtp-1.0.6-18.el8.x86_64                                                                                                                                                                                         4/5 
  Verifying        : liblockfile-1.14-2.el8.x86_64                                                                                                                                                                                        5/5 
Removed:
  esmtp-1.2-15.el8.x86_64                  fail2ban-1.0.2-3.el8.noarch                  fail2ban-sendmail-1.0.2-3.el8.noarch                  libesmtp-1.0.6-18.el8.x86_64                  liblockfile-1.14-2.el8.x86_64                 
Complete!Then, remove the configuration files with this command:
sudo rm -r /etc/fail2ban