Install Fail2Ban on CentOS 7.3

      Fail2Ban on CentOS 7.3

Fail2ban is an intrusion prevention framework, which works together with a packet-control system or firewall installed on your server, and is commonly used to block connection attempts after a number of failed tries. The program works in background and continuously scans the log files for unusual login patterns and security breach attempts.

To install Fail2Ban on CentOS 7.3, we need to install EPEL (Extra Packages for Enterprise Linux) repository first.
# yum install epel-release
# yum install fail2ban fail2ban-systemd

If you have selinux  enabled, then we need to update the selinux policies.
# yum update -y selinux-policy* 

      Configure settings for Fail2Ban

Once installed, we will have to configure and customize the software with a jail.local configuration file.
Make a copy of the jail.conf file and save it with the name jail.local:

# cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# vi /etc/fail2ban/jail.local

The file have many lines of codes which execute to prevent a ban on one or many IP addresses, set bantime duration, etc.
A typical jail configuration file contains the following lines.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. ,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Ignoreip: Is used to set the list of IPs which will not be banned. The list of IP addresses should be given with a space separator.
Bantime: This Parameter used to set the duration of seconds for which a host needs to be banned.
Findtime: This parameter used to check if a host must be banned or not. When the host generates “maxrety” in its last “findtime”, it is banned.
Maxretry: This parameter used to set the limit for the number of retry's by a host, upon this limit, the host is banned.

      Running Fail2Ban service

You need to start and enable Centos Firewall
# systemctl enable firewalld
# systemctl start firewalld

Now execute the following lines of command to start Fail2Ban.
# systemctl enable fail2ban
# systemctl start fail2ban 

      Fal2Ban Status

Use the following command to check the status of the Fail2Ban.
# fail2ban-client status

      

      Failed login entries

With following command you can check whether there had been failed attempts to login to sever.
# cat /var/log/secure | grep 'Failed password'

      

      Banned ip’s by Fail2Ban

With following command you can get a list of banned IP addresses which were recognized as brute force threats.
# iptables -L -n

          

          Unbanning an IP address

In order to remove an IP address from the banned list, parameter IPADDRESS is set to appropriate IP which needs unbanning.
# fail2ban-client set sshd unbanip IPADDRESS