Install and Configure Fail2ban on Rocky Linux 8

In this guide, we want to teach you to Install and Configure Fail2ban on Rocky Linux 8.

Fail2Ban is a log-parsing application that protects Linux virtual server hosts against many security threats, such as a dictionary, DoS, DDoS, and brute-force attacks. It works by monitoring system logs for any malicious activity and scanning files for any entries matching identified patterns.

If Fail2Ban detects a spike of failed login attempts, it will automatically add new firewall rules to your iptables and block the source address for a specified time or indefinitely.

Installing Fail2Ban helps server owners mitigate any illegitimate activity automatically. It also alerts them via email whenever an attack is occurring.

Install and Configure Fail2ban on Rocky Linux 8

To install Fail2ban, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide the Initial Server Setup with Rocky Linux 8.

Now follow the steps below to complete this guide.

Install Fail2ban on Rocky Linux 8

As a requirement for installing fail2ban and other requisite packages, you need to install the EPEL repository which provides additional high-quality packages for RHEL-based distributions.

First, update your local package index with the following command:

sudo dnf update -y

Then, use the following command to install Epelrelease:

sudo dnf install epel-release

Next, install Fail2ban on your server with the following command:

sudo dnf install fail2ban

When your installation is completed, start and enable your service to start on boot with the following command:

sudo systemctl enable --now fail2ban

Verify that Fail2ban is active and running on Rocky Linux 8:

sudo systemctl status fail2ban

In your output you should see:

Output
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pr>
Active: active (running) since Sat 2022-07-30 05:10:44 EDT; 5s ago
Docs: man:fail2ban(1)
Process: 89230 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=>
Main PID: 89232 (fail2ban-server)
Tasks: 3 (limit: 11413)
Memory: 11.1M
CGroup: /system.slice/fail2ban.service
└─89232 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Configure Fail2ban on Rocky Linux 8

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf.

You must create a “.local” configuration file from the default “jail.conf” file.

First copy the configuration file with the following command:

sudo cp /etc/fail2ban/jail.{conf,local}

Then, open the local configuration file with your favorite text editor here we use vi:

sudo vi /etc/fail2ban/jail.local

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.

Here you should add your local PC IP address and all other machines that you want to whitelist.

Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Now find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:

bantime = 1d

To permanently ban the IP, you can use a negative number.

The find time is the duration between the number of failures before a ban is set.

The max retry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

Fail2ban can send email alerts when an IP has been banned on Rocky Linux 8.

To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:

action = %(action_mw)s

If you want to receive the relevant logs too, you should set this to the:

action = %(action_mwl)s

Also, you can adjust the sending and receive email addresses:

destemail = admin@orcacore.com
sender = root@orcacore.com

Fail2ban jails

in this section of Install and Configure Fail2ban on Rocky Linux 8, we want to talk bout Jails on Fail2ban. Fail2Ban uses the concept of jails. A jail describes a service and includes filters and actions.

By default, on Rocky Linux 8, no Fail2ban jails are enabled. To enable it, find the [sshd] section and add the “enabled = true” after the jail title:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

When you are done, save and close the file.

Now restart Fail2ban on Rocky Linux 8 with the following command to apply these changes:

sudo systemctl restart fail2ban

Let’s see how to use Fail2ban.

How To Use Fail2ban

Fail2ban comes with a command-line tool named fail2ban-client. You can use this command to interact with the Fail2ban service.

You can list all available options with the following command:

fail2ban-client -h
Output
Usage: fail2ban-client [OPTIONS] <COMMAND>

Fail2Ban v0.11.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Options:
-c, --conf <DIR> configuration directory
-s, --socket <FILE> socket path
-p, --pidfile <FILE> pidfile path
--pname <NAME> name of the process (main thread) to identify instance (default fail2ban-server)
--loglevel <LEVEL> logging level
--logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout.
--syslogsocket auto|<FILE>
...

This tool can be used to ban/unban IP addresses, change settings, restart the service and more. Here are a few examples:

To check the status of jail you can use the following command:

sudo fail2ban-client status sshd

Also, you can unban an IP with the following command:

sudo fail2ban-client set sshd unbanip 23.34.45.56

To ban an IP you can use the following command:

sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

At this point, you learn to Install and Configure Fail2ban on Rocky Linux 8. Also, you learn how to use it on your server.

Hope you enjoy it.

You may be interested in these articles:

Install Varnish Cache for Apache on Rocky Linux 8

Install and Configure Apache Tomcat on Rocky Linux 8

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!