Sunday, October 2, 2022

Install and Configure Fail2ban on AlmaLinux 8

In this article, we want to teach you how to Install and Configure Fail2ban on AlmaLinux 8.

Fail2ban is an open-source tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files.

How To Install and Configure Fail2ban

To install and configure Fail2ban on your server, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do these, you can check our article about the Initial Server Setup with AlmaLinux 8.

Install Fail2ban on AlmaLinux 8

Fail2ban package is available in the AlmaLinux default repository. First, update your local package index with the following command:

sudo dnf update

Then install Fail2ban with the following command:

sudo dnf install fail2ban

When your installation is finished, you need to start and enable Fail2ban on AlmaLinux 8 with the following command:

sudo systemctl enable --now fail2ban

Verify that your service is active and running on your server with the following command:

sudo systemctl status fail2ban

In your output you will see:

Output
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pr>
Active: active (running) since Sun 2021-11-07 15:41:40 EET; 8s ago
Docs: man:fail2ban(1)
Process: 89841 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=>
Main PID: 89843 (fail2ban-server)
Tasks: 3 (limit: 11409)
Memory: 12.7M
CGroup: /system.slice/fail2ban.service
└─89843 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Now you have Fail2ban up and running on AlmaLinux 8. Let’s start to configure it.

Configure Fail2ban on AlmaLinux 8

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf.

You need to create a “.local” configuration file from the default “jail.conf” file.

First copy the configuration file with the following command:

sudo cp /etc/fail2ban/jail.{conf,local}

Then, open the local configuration file with your favorite text editor here we use vi:

sudo vi /etc/fail2ban/jail.local

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.

Here you should add your local PC IP address and all other machines that you want to whitelist.

Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Now find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:

bantime = 1d

To permanently ban the IP, you can use a negative number.

The maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

Fail2ban can send email alerts when an IP has been banned on AlmaLinux 8.

To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:

action = %(action_mw)s

If you want to receive the relevant logs too, you should set this to the:

action = %(action_mwl)s

Also, you can adjust the sending and receive email addresses:

destemail = [email protected]
sender = [email protected]

Fail2ban jails

Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.

By default, on AlmaLinux 8, no Fail2ban jails are enabled. To enable it, find the [sshd] section and add the “enabled = true” after the jail title:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

When you are done, save and close the file.

Now restart Fail2ban on AlmaLinux 8 with the following command to apply these changes:

sudo systemctl restart fail2ban

Let’s see how to use Fail2ban.

How To Use Fail2ban

Fail2ban comes with a command-line tool named fail2ban-client. You can use this command to interact with the Fail2ban service.

You can list all available options with the following command:

fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

To check the status of jail you can use the following command:

sudo fail2ban-client status sshd

Also, you can unban an IP with the following command:

sudo fail2ban-client set sshd unbanip 23.34.45.56

To ban an IP you can use the following command:

sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

At this point, you learn to Install and Configure Fail2ban on AlmaLinux 8. Also, you learn how to use it on your server.

Hope you enjoy it.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles