This guide explains how to install Fail2ban software, an intrusion prevention framework on your CentOS 7 (and 6) vps easily so you can protect your server from brute-force attacks. I previously posted some basic configs for a new CentOS server including to change default SSH port and to disable root login directly. But however sometimes that would be not enough. Brute-force attack may occur continuously, hence you need to ban the source IP of that attack so it will not happen continuously or at least the attacker will need many IPs. Meed Fail2Ban that exists originally for that purpose, to protect your server from SSH brute-force attack.
Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
How to Install
Step 1 – Login to your server as user with root privilege.
Step 2 – For your information, Fail2ban is not available by default in CentOS so you can’t install it directly via yum. Hence, you have to firstly add EPEL repo:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm
pic, screenshot on CentOS 7:
In case if those repo URLs are not working, you can fine the latest one here.
Step 3 – Now install it using yum:
yum install fail2ban -y
and once done you’ll see something like this:
How to Configure Fail2Ban
Step 4 – So now fail2ban is installed on your VPS, what next to do is setting up some basic Fail2ban configuration. Here I’ll show you a very basic setup. Now firstly copy default configuration file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
This task is necessary so you can edit configuration locally (your own setting) without messing up with default one. There are lot of possible services that may need protection are in the jail.local file already.
Step 5 – Now edit jail.local file you copied. Use your favorite text editor like Nano or vi.
You’ll then firstly see something like this:
Step 6 – Scroll down the page for all available configuration. There are few lines act as basic setup you can edit as necessary to suit your need including: ignoreip, bantime, findtime, and maxretry. You can read what each line means in the explanation available there.
In the “ignoreip” line you can define several IPs to whitelist so fail2ban won’t lock out that IP. Here you can add your personal / home IP address in case if your forgot your own password to login to your server. You can separate each address with a space.
Step 7 – Now restart Fail2ban so the new configuration can take effect.
systemctl restart fail2ban.service
service fail2ban restart
That’s it. Enjoy..