Share your love
Install and Configure Fail2ban on Rocky Linux 8
In this guide, we want to teach you to Install and Configure Fail2ban on Rocky Linux 8.
Fail2Ban is a log-parsing application that protects Linux virtual server hosts against many security threats, such as a dictionary, DoS, DDoS, and brute-force attacks. It works by monitoring system logs for any malicious activity and scanning files for any entries matching identified patterns.
If Fail2Ban detects a spike of failed login attempts, it will automatically add new firewall rules to your iptables and block the source address for a specified time or indefinitely.
Installing Fail2Ban helps server owners mitigate any illegitimate activity automatically. It also alerts them via email whenever an attack is occurring.
what you read in this post?
Install and Configure Fail2ban on Rocky Linux 8
To install Fail2ban, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide the Initial Server Setup with Rocky Linux 8.
Now follow the steps below to complete this guide.
Install Fail2ban on Rocky Linux 8
As a requirement for installing fail2ban and other requisite packages, you need to install the EPEL repository which provides additional high-quality packages for RHEL-based distributions.
First, update your local package index with the following command:
sudo dnf update -y
Then, use the following command to install Epelrelease:
sudo dnf install epel-release
Next, install Fail2ban on your server with the following command:
sudo dnf install fail2ban
When your installation is completed, start and enable your service to start on boot with the following command:
sudo systemctl enable --now fail2ban
Verify that Fail2ban is active and running on Rocky Linux 8:
sudo systemctl status fail2ban
In your output you should see:
Output ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pr> Active: active (running) since Sat 2022-07-30 05:10:44 EDT; 5s ago Docs: man:fail2ban(1) Process: 89230 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=> Main PID: 89232 (fail2ban-server) Tasks: 3 (limit: 11413) Memory: 11.1M CGroup: /system.slice/fail2ban.service └─89232 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start
Configure Fail2ban on Rocky Linux 8
The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf.
You must create a “.local” configuration file from the default “jail.conf” file.
First copy the configuration file with the following command:
sudo cp /etc/fail2ban/jail.{conf,local}Then, open the local configuration file with your favorite text editor here we use vi:
sudo vi /etc/fail2ban/jail.local
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.
Here you should add your local PC IP address and all other machines that you want to whitelist.
Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24
Now find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:
bantime = 1d
To permanently ban the IP, you can use a negative number.
The findtime is the duration between the number of failures before a ban is set.
The maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.
Fail2ban can send email alerts when an IP has been banned on Rocky Linux 8.
To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:
action = %(action_mw)s
If you want to receive the relevant logs too, you should set this to the:
action = %(action_mwl)s
Also, you can adjust the sending and receive email addresses:
destemail = [email protected] sender = [email protected]
Fail2ban jails
Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.
By default, on Rocky Linux 8, no Fail2ban jails are enabled. To enable it, find the [sshd] section and add the “enabled = true” after the jail title:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
When you are done, save and close the file.
Now restart Fail2ban on Rocky Linux 8 with the following command to apply these changes:
sudo systemctl restart fail2ban
Let’s see how to use Fail2ban.
How To Use Fail2ban
Fail2ban comes with a command-line tool named fail2ban-client. You can use this command to interact with the Fail2ban service.
You can list all available options with the following command:
fail2ban-client -h
Output
Usage: fail2ban-client [OPTIONS] <COMMAND>
Fail2Ban v0.11.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
Options:
-c, --conf <DIR> configuration directory
-s, --socket <FILE> socket path
-p, --pidfile <FILE> pidfile path
--pname <NAME> name of the process (main thread) to identify instance (default fail2ban-server)
--loglevel <LEVEL> logging level
--logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout.
--syslogsocket auto|<FILE>
...This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:
To check the status of jail you can use the following command:
sudo fail2ban-client status sshd
Also, you can unban an IP with the following command:
sudo fail2ban-client set sshd unbanip 23.34.45.56
To ban an IP you can use the following command:
sudo fail2ban-client set sshd banip 23.34.45.56
Conclusion
At this point, you learn to Install and Configure Fail2ban on Rocky Linux 8. Also, you learn how to use it on your server.
Hope you enjoy it.
You may be interested in these articles:
