Fail2Ban is a powerful intrusion prevention framework that provides an additional layer of security to your Rocky Linux 8 server. By analyzing logs from various services like SSH, ProFTP, and Apache, Fail2Ban identifies and blocks brute-force attempts using iptables profiles. In this guide, we will walk you through the process of installing and configuring Fail2Ban on your Rocky Linux 8 server.
1. Installing Fail2Ban
To begin, we need to install the EPEL repository, which contains the Fail2Ban package. Open your terminal and run the following command:
yum install epel-release
You will be prompted for permission. Press “y” and then “Enter” to continue with the installation.
Next, install the Fail2Ban package by running the command:
yum install fail2ban
Again, you will be prompted for permission. Press “y” and then “Enter” to proceed.
2. Configuring Fail2Ban
Now that Fail2Ban is installed, we need to configure some local file settings. There are two files we will be working with: jail.conf
and jail.local
.
The jail.conf
file contains the default configuration settings for Fail2Ban. However, we will not modify this file directly as future package upgrades may overwrite our changes.
Instead, we will use the jail.local
file to override the settings in jail.conf
. To open the jail.local
file for editing, run the following command:
nano /etc/fail2ban/jail.local
In the jail.local
file, add the following content:
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
This configuration sets the ban time to one hour ( bantime = 3600
) and uses the iptables-multiport
ban action. The [sshd]
section enables Fail2Ban for SSH.
If your server uses firewalld instead of iptables, you can simply comment out the banaction
line by adding a #
at the beginning of the line.
Save the changes and exit the editor by pressing Ctrl + X
, then Y
, and finally Enter
.
3. Setting Up Jail Configuration
Fail2Ban allows us to configure individual jails for different services. By default, Fail2Ban comes with a configuration for the SSH service ( sshd
). However, you can create custom jails for other services as well.
To configure a custom jail, navigate to the /etc/fail2ban/jail.d/
directory. In this directory, you can create new configuration files that override the settings in jail.local
and jail.conf
.
For example, to create a custom jail configuration for Apache, you can create a file called apache.conf
:
nano /etc/fail2ban/jail.d/apache.conf
In this file, you can define specific settings for the Apache jail. Save the changes and exit the editor.
Remember to restart the Fail2Ban service whenever you make changes to the configuration files. You can do this by running the following command:
systemctl restart fail2ban
4. Modifying Ban Time and Conditions
Fail2Ban allows you to customize the ban time and conditions for blocking clients. By modifying the bantime
, findtime
, and maxretry
settings, you can fine-tune the behavior of Fail2Ban to suit your needs.
To modify these settings, open the jail.local
file again:
nano /etc/fail2ban/jail.local
In this file, you can find the following lines:
#ban time setting to 600sec bantime = 600 #setting conditions to ban a client findtime = 600 maxretry = 3
In this example, the ban time is set to 600 seconds ( bantime = 600
). The findtime
parameter specifies the time window in which Fail2Ban looks for failed login attempts, and maxretry
defines the maximum number of failed attempts allowed within that window.
Feel free to adjust these values according to your requirements. Save the changes and exit the editor.
5. Checking Fail2Ban Status
To check the status of Fail2Ban and view detailed information about the jails, you can use the fail2ban-client
command.
To view the status of all jails, run the following command:
fail2ban-client status
The output will show you the number of active jails and the list of jails. For example:
Status |- Number of jail: 1 `- Jail list: sshd
To view detailed information about a specific jail, such as the number of failed attempts and the list of banned IP addresses, use the following command:
fail2ban-client status <jail-name>
For example, to check the status of the SSH jail, run:
fail2ban-client status sshd
The output will provide you with detailed information about the jail:
Status for the jail: sshd |- Filter | |- Currently failed: 5 | |- Total failed: 238 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 19 |- Total banned: 19 `- Banned IP list: 221.131.165.56 183.89.70.240 211.200.178.178 218.92.0.207 221.181.185.143 221.181.185.220 189.207.242.90 120.246.124.254 51.254.84.249 103.20.34.169 218.22.36.135 1.179.185.50 171.245.229.51 106.55.240.205 212.64.60.50 58.240.52.43 209.141.60.60 171.225.250.69 221.181.185.151
6. Additional Tips and Best Practices
- Regularly update Fail2Ban and its associated packages to ensure that you have the latest security patches.
- Monitor the Fail2Ban logs (
/var/log/fail2ban.log
) to stay informed about any suspicious activities. - Consider adding additional jails for services like Apache, ProFTP, and others to protect them from brute-force attacks.
- Fine-tune the ban time and conditions based on your server’s requirements and traffic patterns.
- Combine Fail2Ban with other security measures like strong passwords, SSH key-based authentication, and regular system audits for enhanced protection.
7. Conclusion
By installing and configuring Fail2Ban on your Rocky Linux 8 server, you have taken a significant step towards safeguarding your system from brute-force attacks and unauthorized access attempts. Fail2Ban’s powerful features, such as analyzing logs and blocking malicious IPs, provide an added layer of security to your server infrastructure.
Remember to keep Fail2Ban up to date and regularly review the logs to stay vigilant against potential threats. By adopting these security best practices, you can ensure a secure and reliable hosting environment for your business.
For more information on Fail2Ban and other cloud hosting solutions, visit Shape.host. Shape.host provides efficient, scalable, and secure Cloud VPS services tailored to meet your specific needs.