How to Install Fail2Ban on CentOS
| |This guide explains how to install Fail2ban software, an intrusion prevention framework on your CentOS 7 (and 6) vps easily so you can protect your server from brute-force attacks. I previously posted some basic configs for a new CentOS server including to change default SSH port and to disable root login directly. But however sometimes that would be not enough. Brute-force attack may occur continuously, hence you need to ban the source IP of that attack so it will not happen continuously or at least the attacker will need many IPs. Meed Fail2Ban that exists originally for that purpose, to protect your server from SSH brute-force attack.
Fail2ban works by scanning and monitoring log files for selected entries then bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
How to Install
Step 1 – Login to your server as user with root privilege.
Step 2 – For your information, Fail2ban is not available by default in CentOS so you can’t install it directly via yum. Hence, you have to firstly add EPEL repo:
CentOS 6:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
CentOS 7:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm
pic, screenshot on CentOS 7:
In case if those repo URLs are not working, you can fine the latest one here.
Step 3 – Now install it using yum:
yum install fail2ban -y
and once done you’ll see something like this:
How to Configure Fail2Ban
Step 4 – So now fail2ban is installed on your VPS, what next to do is setting up some basic Fail2ban configuration. Here I’ll show you a very basic setup. Now firstly copy default configuration file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
This task is necessary so you can edit configuration locally (your own setting) without messing up with default one. There are lot of possible services that may need protection are in the jail.local file already.
Step 5 – Now edit jail.local file you copied. Use your favorite text editor like Nano or vi.
nano /etc/fail2ban/jail.local
You’ll then firstly see something like this:
Step 6 – Scroll down the page for all available configuration. There are few lines act as basic setup you can edit as necessary to suit your need including: ignoreip, bantime, findtime, and maxretry. You can read what each line means in the explanation available there.
In the “ignoreip” line you can define several IPs to whitelist so fail2ban won’t lock out that IP. Here you can add your personal / home IP address in case if your forgot your own password to login to your server. You can separate each address with a space.
Step 7 – Now restart Fail2ban so the new configuration can take effect.
CentOS 7:
systemctl restart fail2ban.service
CentOS 6:
service fail2ban restart
That’s it. Enjoy..
Hi,
Thank you for this helpful tutorial. Do you have any suggestions for optimal settings? I have installed fail2ban after I realised that I had 25.000+ failed login attempts on my CentOS from Digital Ocean (support recommended me this website).
I am quite new to settings up servers and therefore my knowledge is limited.
You can try these:
– Change default SSH port regularly
– Switch to Key-based method rather than password-based
– In fail2ban, increase “bantime” and reduce “findtime” value (if you are really in panic mode)
Optimal setting for fail2ban really is depending on users’ situation / need 🙂
Great tutorial, very clear and well structured. Thanks!
Assalaam Sawiyati,
Besides fail2ban, I am planning to allow ssh by ISP registered in Malaysia only. Do you happened to have all the IP ranges for ISP in Malaysia?
TIA
…termizi
Superb tutorial. Very concise and helpful. Thanks very much. I have just locked down my cloud VPS a load more as it was getting many many ssh attempts!!!
this is the sort of things that make life easier.
Very usefull , helpfull , all done in few clicks.
Thank you mammy !!!
Hi, thanks for this good guide, i’ve to install fail2ban in my vps that just has a mail server (Merak) so i don’t want fail2ban install Postfix! how can i do ?
Thanks
It seems that Fail2Ban is a good intrusion prevention software and you explained how to install it on a CentOS server very well.
I have Ubuntu installed on my server and I block abusive IP addresses using iptables. I followed the instructions at: https://www.rosehosting.com/blog/blocking-abusive-ip-addresses-using-iptables-firewall-in-debianubuntu
Is it dificult to install Fail2Ban on an Ubuntu VPS?
It should be easy as well
you forgot systemctl enable fail2ban.service
I’m setting up a cloud based VM and thought about configuring fail2ban on CentOS 7, but found it wanted to install a 3.10 kernel as a dependency whereas I am on a 3.18 kernel now. I’m not going to install a kernel as a dependency just for this component. That struck me as odd.
I set up key based authentication, so I’m not too worried about it. Soon enough virtually all access will be via a VPN tunnel, at which point I will restrict all ssh traffic to a few specific hosts and drop the rest.
Excellent…easy and very well documented!.
Great Job!
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm
is now
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
thanks for the update
Pretty much every CentOS distro that I’ve worked on lets you just run “yum install epel-release”, maybe this would be a better way to do it considering it doesn’t require you to match versions up?
so you should change the link >_<
the post link is 404.
Can you please be more specific about which link 404?
Hi and thanks for your post! for some reason the log file is not been created on my CentOS release 6.6, plus in the /etc/fail2ban/fail2ban.conf the logs destination are not defined so I added it “log = /var/log/fail2ban.log” uder “loglevel = 3” and restarted it but still no logs, I re-installed it and still no luck, any idea what could be the cause?
Hi Sawiyati, Thanks for the post – it gave me a great starting point for setting up Fail2Ban. I actually found out that it’s possible to protect pretty much anything with it, which is awesome. I made a big writeup for setting up CentOS7 with Virtualmin, Fail2Ban and everything: http://productivemercurial.com/blog/setting-up-the-perfect-server-centos-7-apache-php-mysql-proftpd-postfix-dovecot-bind-and-virtualminwebmin/
Regards!