Key points
This article will share information related to the following tasks:
- Installing Fail2Ban and the steps involved.
- Configuring Fail2Ban and understanding the parameters used.
- Activating Firewalld support.
- Securing the SSH service with Fail2Ban.
- Testing your Fail2Ban configuration.
- Uninstalling or removing Fail2Ban.
About this Fail2Ban install tutorial
Fail2Ban is a powerful and widely-used security tool designed to enhance the security of Linux systems by protecting against malicious activities such as brute-force attacks and other unauthorized access attempts. In this article, we'll walk you through installing Fail2Ban on an AlmaLinux system, providing an additional layer of defense against potential security threats.
Overview of Linux Fail2Ban setup
You can start the Fail2Ban installation on AlmaLinux by following the below steps.
Prerequisites
Here are the prerequisites to consider before you begin the Fail2Ban install:
- Confirm that your operating system and version is AlmaLinux OS 8.
- Ensure you have root or sudo access to install and configure Fail2Ban on AlmaLinux.
Step #1. Ensure Firewalld is running
The Firewalld package is preinstalled by default on AlmaLinux. First, check whether it is running or not. You can check the Firewalld service status using the following command:
sudo systemctl status firewalldIf the Firewalld service isn't running, the following output will be displayed:
]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)Now, start the Firewalld service using the following command:
sudo systemctl start firewalldAfter that, verify the status of the Firewalld service:
sudo systemctl status firewalldHere is the output:
]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-11-25 02:05:29 UTC; 2s ago
Docs: man:firewalld(1)
Main PID: 10017 (firewalld)
Tasks: 2 (limit: 11852)
Memory: 35.8M
CGroup: /system.slice/firewalld.service
└─10017 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 02:05:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started firewalld - dynamic firewall daemon.Now, use the following command to list all services configured by Firewalld:
sudo firewall-cmd --list-allHere is the output:
]# sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: Step #2. Update the system
Before you proceed with Fail2Ban installation, ensure your system is up-to-date. To update your package lists and upgrade existing packages, use the following commands:
sudo dnf updateStep #3. Install EPEL
The Fail2Ban package is unavailable by default in the AlmaLinux default repo. As a result, you'll need to install it from the EPEL repository. You can install the EPEL repo using the following command:
sudo dnf install epel-releaseStep #4. Install Fail2Ban
After installing the EPEL repo, use the following command to install the Fail2Ban firewall and the fail2ban-firewalld package:
sudo dnf install fail2ban fail2ban-firewalldHere is the output:
]# sudo dnf install fail2ban fail2ban-firewalld
Extra Packages for Enterprise Linux 8 - x86_64 27 MB/s | 16 MB 00:00
Last metadata expiration check: 0:00:06 ago on Sat 25 Nov 2023 02:07:48 AM UTC.
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
==============================================================================================================================================================================================================================================
Installing:
fail2ban noarch 1.0.2-3.el8 epel 21 k
fail2ban-firewalld noarch 1.0.2-3.el8 epel 21 k
Installing dependencies:
esmtp x86_64 1.2-15.el8 epel 57 k
fail2ban-selinux noarch 1.0.2-3.el8 epel 41 k
fail2ban-sendmail noarch 1.0.2-3.el8 epel 23 k
fail2ban-server noarch 1.0.2-3.el8 epel 478 k
libesmtp x86_64 1.0.6-18.el8 epel 70 k
liblockfile x86_64 1.14-2.el8 baseos 31 k
policycoreutils-python-utils noarch 2.9-24.el8 baseos 253 k
python3-pip noarch 9.0.3-23.el8 appstream 19 k
python3-setuptools noarch 39.2.0-7.el8 baseos 162 k
python36 x86_64 3.6.8-38.module_el8.5.0+2569+5c5719bc appstream 18 k
Enabling module streams:
python36 3.6
Transaction Summary
==============================================================================================================================================================================================================================================
Install 12 Packages
Total download size: 1.2 M
Installed size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/12): liblockfile-1.14-2.el8.x86_64.rpm 3.7 MB/s | 31 kB 00:00
(2/12): python3-pip-9.0.3-23.el8.noarch.rpm 3.5 MB/s | 19 kB 00:00
(3/12): python3-setuptools-39.2.0-7.el8.noarch.rpm 8.9 MB/s | 162 kB 00:00
(4/12): policycoreutils-python-utils-2.9-24.el8.noarch.rpm 11 MB/s | 253 kB 00:00
(5/12): python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64.rpm 1.7 MB/s | 18 kB 00:00
(6/12): esmtp-1.2-15.el8.x86_64.rpm 980 kB/s | 57 kB 00:00
(7/12): fail2ban-selinux-1.0.2-3.el8.noarch.rpm 4.8 MB/s | 41 kB 00:00
(8/12): fail2ban-sendmail-1.0.2-3.el8.noarch.rpm 2.7 MB/s | 23 kB 00:00
(9/12): fail2ban-firewalld-1.0.2-3.el8.noarch.rpm 161 kB/s | 21 kB 00:00
(10/12): fail2ban-1.0.2-3.el8.noarch.rpm 138 kB/s | 21 kB 00:00
(11/12): libesmtp-1.0.6-18.el8.x86_64.rpm 3.0 MB/s | 70 kB 00:00
(12/12): fail2ban-server-1.0.2-3.el8.noarch.rpm 3.2 MB/s | 478 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.2 MB/s | 1.2 MB 00:00
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
—---
—---
Installed:
esmtp-1.2-15.el8.x86_64 fail2ban-1.0.2-3.el8.noarch fail2ban-firewalld-1.0.2-3.el8.noarch fail2ban-selinux-1.0.2-3.el8.noarch fail2ban-sendmail-1.0.2-3.el8.noarch fail2ban-server-1.0.2-3.el8.noarch
libesmtp-1.0.6-18.el8.x86_64 liblockfile-1.14-2.el8.x86_64 policycoreutils-python-utils-2.9-24.el8.noarch python3-pip-9.0.3-23.el8.noarch python3-setuptools-39.2.0-7.el8.noarch python36-3.6.8-38.module_el8.5.0+2569+5c5719bc.x86_64
Complete!Once the Fail2Ban installation is complete, use the following commands to start and enable the Fail2Ban service:
sudo systemctl start fail2ban
sudo systemctl enable fail2banYou can use the following command to check the Fail2Ban service's status:
sudo systemctl status fail2banHere is the output:
]# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2023-11-25 02:10:29 UTC; 10s ago
Docs: man:fail2ban(1)
Main PID: 11425 (fail2ban-server)
Tasks: 3 (limit: 11852)
Memory: 10.8M
CGroup: /system.slice/fail2ban.service
└─11425 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Starting Fail2Ban Service...
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal systemd[1]: Started Fail2Ban Service.
Nov 25 02:10:29 ip-172-31-27-69.us-east-2.compute.internal fail2ban-server[11425]: Server readyStep #5. Configuring Fail2Ban
The main configuration file for Fail2Ban is found at /etc/fail2ban/jail.conf. It has a section where settings for Fail2Ban can be defined; we are not changing this file because a package upgrade may replace it.
So, first, create a custom Fail2Ban configuration file, /etc/fail2ban/jail.local. This is the file where customizations to Fail2Ban's settings should occur. Copying from jail.conf to jail.local isn't a backup. Rather, it's an essential step to further customize and configure Fail2Ban according to specific needs.
By default, this /etc/fail2ban/jail.local file does not exist, but Fail2Ban will look for it and read its contents if it exists:
touch /etc/fail2ban/jail.localThen, open the jail.local file using your favorite text editor:
sudo nano /etc/fail2ban/jail.localAdd the following contents, and save the file:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1h
findtime = 1h
maxretry = 55.1. The Ignore IP Address (ignoreip) parameter
Thw ignoreip parameter provides a list of IP addresses that Fail2Ban should ignore. This scenario configures it to ignore loopback addresses (127.0.0.1 for IPv4 and ::1 for IPv6). So, any attempts originating from these IP addresses will not be blocked.
5.2. The Ban Time (bantime) parameter
The bantime parameter specifies the duration an IP address will be banned if it exceeds the maximum number of allowed login attempts (maxretry) within the defined findtime.
5.3. The Find Time (findtime) parameter
The findtime parameter sets the time window during which Fail2Ban monitors for repeated login failures.
5.4. The Max Retry (maxretry) parameter
The maxretry parameter defines the maximum number of login failures allowed within the specified findtime before Fail2Ban takes action.
5.5. Activating Firewalld support
Fail2Ban uses the iptables firewall by default (opens in a new tab). To activate Firewalld support (opens in a new tab), use the following command:
sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local5.6. Restarting the Fail2Ban service
Then, restart the Fail2Ban service to apply the changes:
sudo systemctl restart fail2banStep #6. Securing the SSH service with Fail2Ban
Fail2Ban does not block any remote hosts by default unless you enable jail configuration for a service that you want to secure. The jail's configuration is located in the /etc/fail2ban/jail.d file and takes control of the jail.local file.
To secure the SSH service, use the following command to generate a jail configuration file for SSH:
sudo nano /etc/fail2ban/jail.d/sshd.localThen, paste the following lines:
# This configuration will block the remote host for 3 hours after 3 failed SSH login attempts.
[sshd]
enabled = true
bantime = 3h
maxretry = 3When you're finished, save and close the file, then restart the SSH service to reflect the changes:
sudo systemctl restart fail2banNext, use the fail2ban-client command-line tool to verify the jail configuration status:
sudo fail2ban-client statusHere is the output:
]# sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshdUse the following command to check the SSH jail for any banned IP addresses:
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
[root@ip-172-31-27-69 ~]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list: If you want to unban the IP address manually, use the following command:
sudo fail2ban-client unban remote-ip-addressAdditionally, you can use the get option to verify the sshd jail's maxretry value.
sudo fail2ban-client get sshd maxretryHere is the output:
]# sudo fail2ban-client get sshd maxretry
3The value three displayed should correspond to the value you provided in the sshd.local file. If you want to understand more about how to proceed with the Fail2Ban installation on Ubuntu, please read the article How to install and configure Fail2Ban on Ubuntu Server 16.04 (opens in a new tab).
Step #7. Testing your Fail2Ban configuration
After configuring Fail2Ban and establishing a jail configuration file for the SSH service, we'll run a test and simulate three failed logins by entering an incorrect password for each password prompt. So, go to a remote Linux system and try to log in using the incorrect password. After three failed attempts, the connection is disconnected, and any subsequent attempts to reconnect are prevented until the ban time expires:
admin@noufal ~]# ssh sample_user@192.168.2.103
sample_user@192.168.2.103's password:
Permission denied, please try again.
sample_user@192.168.2.103's password:
Permission denied, please try again.
sample_user@192.168.2.103's password:
sample_user@192.168.2.103: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
admin@noufal ~]#Check the jail's status to learn more about the restricted client systems:
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.2.105Use the following command to unban or remove the client from the jail:
sudo fail2ban-client unban 192.168.2.105Here is the output:
]# sudo fail2ban-client unban 192.168.2.105
1Recheck the jail status to ensure the client is not on the banned IP list.
sudo fail2ban-client status sshdHere is the output:
]# sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list: How to uninstall or remove Fail2Ban
To uninstall Fail2Ban, use the following command:
sudo dnf remove fail2banHere is the output:
]# sudo dnf remove fail2ban
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package Architecture Version Repository Size
==============================================================================================================================================================================================================================================
Removing:
fail2ban noarch 1.0.2-3.el8 @epel 0
Removing unused dependencies:
esmtp x86_64 1.2-15.el8 @epel 100 k
fail2ban-sendmail noarch 1.0.2-3.el8 @epel 12 k
libesmtp x86_64 1.0.6-18.el8 @epel 160 k
liblockfile x86_64 1.14-2.el8 @baseos 51 k
Transaction Summary
==============================================================================================================================================================================================================================================
Remove 5 Packages
Freed space: 323 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : fail2ban-1.0.2-3.el8.noarch 1/5
Erasing : fail2ban-sendmail-1.0.2-3.el8.noarch 2/5
Running scriptlet: esmtp-1.2-15.el8.x86_64 3/5
Erasing : esmtp-1.2-15.el8.x86_64 3/5
Erasing : libesmtp-1.0.6-18.el8.x86_64 4/5
Erasing : liblockfile-1.14-2.el8.x86_64 5/5
Running scriptlet: liblockfile-1.14-2.el8.x86_64 5/5
Verifying : esmtp-1.2-15.el8.x86_64 1/5
Verifying : fail2ban-1.0.2-3.el8.noarch 2/5
Verifying : fail2ban-sendmail-1.0.2-3.el8.noarch 3/5
Verifying : libesmtp-1.0.6-18.el8.x86_64 4/5
Verifying : liblockfile-1.14-2.el8.x86_64 5/5
Removed:
esmtp-1.2-15.el8.x86_64 fail2ban-1.0.2-3.el8.noarch fail2ban-sendmail-1.0.2-3.el8.noarch libesmtp-1.0.6-18.el8.x86_64 liblockfile-1.14-2.el8.x86_64
Complete!Then, remove the configuration files with this command:
sudo rm -r /etc/fail2ban