Fail2Ban scans log files and bans IP addresses that make too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache Web server logs.
How to: Install and Configure Fail2Ban
Downloading and Installing Fail2Ban
You can use the built in package managers to install Fail2Ban.
apt-get install fail2ban
yum install epel-release yum install fail2ban fail2ban-systemd
Configuring Fail2Ban Settings
Fail2Ban will operate with default settings, but there are certain settings which may be of interest to edit.
Instead of editing the /etc/fail2ban/jail.conf file directly we will make a copy /etc/fail2ban/jail.local
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Note: The .local file settings override the .conf ones.
To open the file using nano enter the command
A typical jail configuration will look like:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3
There are a few important settings to take note of:
- Ignoreip IP addresses Fail2Ban will ignore. If you connect from a static IP address you can add your own here to prevent getting locked out on failed attempts.
- Bantime The duration in seconds an IP address will be banned for.
- Findtime The amount of time a number of failed connections will result in a ban.
- Maxretry The number of retries allowed during the defined FIndtime to determine is an address is banned.
Configure these settings to your desired values to customize how your Fail2Ban operates.
For CentOS we need to create the local jail configuration
1. Create a local jail config for sshd
2. Apply the settings
[sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
Note: Make sure you restart the Fail2Ban service for configuration changes to take effect.
service fail2ban restart
systemctl restart fail2ban
Now that Fail2Ban is up and running there are a few useful commands to be aware of. Fail2ban uses fail2ban-client for most operations.
1. To check to see which jails are running
2. To check the ssh jail status and get a list of banned IPs
fail2ban-client -v status ssh
fail2ban-client -v status sshd
3. You can also check iptables for a list of banned IPs
iptables -L -n
4. To remove a banned IP from the ssh jail
fail2ban-client set ssh unbanip IPADDRESS
fail2ban-client set sshd unbanip IPADDRESS
5. To manually ban an IP
fail2ban-client set ssh banip IPADDRESS
fail2ban-client set sshd banip IPADDRESS
Note: Refer to the Fail2Ban manual pages for more detailed command information
man fail2ban-client man fail2ban-server
fail2ban-client --help fail2ban-server --help
Viewing Log Files
It can be useful to view the log files to track failed login attempts.
cat /var/log/auth.log | grep 'Failed password'
cat /var/log/secure | grep 'Failed password'
Now you have the tools to customize and use Fail2Ban to prevent brute force logins on your VPS!
For additional resources on specifics of using Fail2Ban, please consult Fail2ban Support and Community reference material: