Configure fail2ban on CentOS 7+

One way to enhance the security of your VPS or internet-facing home server is to install and configure fail2ban, a tool that monitors logfiles and executes actions, e.g. block the originating IP after x failed login attempts within y minutes from the same IP.

The setup is easy. Here are the steps for CentOS 7:

1. Activate the EPEL repo

# yum install epel-release

2. Install required packages

# yum install fail2ban-server fail2ban-sendmail fail2ban-systemd fail2ban-firewalld python-inotify

3. Configuration

First, create /etc/fail2ban/jail.local - this file overrides settings from /etc/fail2ban/jail.conf

[DEFAULT]
# set a higher bantime and findtime
bantime=1200
findtime=1800
# set max number of attempts
maxretry = 5
# set mail receiver
destemail = admin@domain.tld
sender = fail2ban@domain.tld
# enable sending mails, whois and logfile sections by choosing the "action_mwl" template,
# see jail.conf for details
action = %(action_mwl)s

Create /etc/fail2ban/jail.d/01-jails.conf and enable the jails you want in it. Preconfigured jails are found in jail.conf, but all of them disabled by default.

[sshd]
enabled = true

[nginx-http-auth]
enabled = true
backend = auto

[roundcube-auth]
enabled = true
backend = auto
logpath = /path/to/roundcubemail/logs/errors

[postfix]
enabled = true

[dovecot]
enabled = true

Notes:

  • CentOS7 beeing a systemd enabled system, we installed fail2ban-systemd package which does nothing else but setting the default backend to systemd in /etc/fail2ban/jail.d/00-systemd.conf. Some daemons like e.g. nginx do not log to the systemd journal, but to their own logfiles. Set backend = auto for those services like shown above. This will pick the best available backend. We installed python-inotify, so pyinotify will be used.
  • If your server is a VPS hosted on some OpenVZ plattform (like Strato), the kernel might be missing the xt_set module, so IP blocking via ipset won't work. The fail2ban-firewalld package (if you use firewalld) sets the default banaction to "firewallcmd-ipset". You can change it to "firewallcmd-new" in /etc/fail2ban/jail.d/00-firewalld.conf

4. Start and enable fail2ban

# systemctl enable fail2ban
# systemctl start fail2ban

Now check /var/log/fail2ban.log for possible errors. If you configured mail delivery, you should have gotten a mail for every started jail already.

 

Category: