How to secure your linux server with fail2ban
This article demonstrates how to install and configure fail2ban to help secure a server. With fail2ban, you can configure your server to automatically block IP addresses that engage in suspicious activity.
About fail2ban
The fail2ban application monitors server log files for intrusion attempts and other suspicious activity. After a predefined number of failures from a host, fail2ban blocks its IP address automatically for a specific duration.
With fail2ban, you can help secure your server against unauthorized access attempts. It is particularly effective in reducing the risk from scripted attacks and botnets.
Installing fail2ban
To install the fail2ban package for your Linux distribution:
For Debian and Ubuntu, type the following command:
For CentOS and Fedora, type the following command:
Configuring fail2ban
After you install fail2ban, you are ready to configure it. To do this, follow these steps:
- Log in to your server using SSH.
- At the command prompt, type the following command:
Locate the [DEFAULT] section, which contains the following global options:
- ignoreip: This option enables you to specify IP addresses or hostnames that fail2ban will ignore. For example, you could add your home or office IP address so fail2ban does not prevent you from accessing your own server. To specify multiple addresses, separate them with a space. For example:
- bantime: This option defines in seconds how long an IP address or host is banned. The default is 600 seconds (10 minutes).
- maxretry: This option defines the number of failures a host is allowed before it is banned.
- findtime: This option is used together with the maxretry option. If a host exceeds the maxretry setting within the time period specified by the findtime option, it is banned for the length of time specified by the bantime option.
With fail2ban’s global options configured, you are now ready to enable and disable jails for the specific protocols and services you want to protect. By default, fail2ban monitors SSH login attempts (you can search for the [ssh-iptables] section in the jail.local file to view the specific settings for the SSH jail).
To restart the fail2ban service and load the new configuration, type the following command:
To display a list of IP addresses currently banned by fail2ban, type the following command:
For example, the following line shows an IP address that the SSH jail has banned:
Fail2ban is a free, open-source and widely used intrusion prevention tool that scans log files for IP addresses that show malicious signs such as too many password failures, and much more, and it bans them (updates firewall rules to reject the IP addresses). By default, it ships with filters for various services including sshd.
In this article, we will explain how to install and configure fail2ban to protect SSH and improve SSH server security against brute force attacks on CentOS/RHEL 8.
Installing Fail2ban on CentOS/RHEL 8
The fail2ban package is not in the official repositories but it is available in the EPEL repository. After logging into your system, access a command-line interface, then enable the EPEL repository on your system as shown.
Install EPEL Repo on CentOS and RHEL 8
Afterward, install the Fail2ban package by running the following command.
Install Fail2ban in CentOS and RHEL 8
Configuring Fail2ban to Protect SSH
The fail2ban configuration files are located in the /etc/fail2ban/ directory and filters are stored in the /etc/fail2ban/filter.d/ directory (the filter file for sshd is /etc/fail2ban/filter.d/sshd.conf).
The global configuration file for the fail2ban server is /etc/fail2ban/jail.conf, however, it is not recommended to modify this file directly, as it will probably be overwritten or improved in case of a package upgrade in the future.
As an alternative, it is recommended to create and add your configurations in a jail.local file or separate .conf files under the /etc/fail2ban/jail.d/ directory. Note that configuration parameters set in jail.local will override whatever is defined in jail.conf.
For this article, we will create a separate file called jail.local in the /etc/fail2ban/ directory as shown.
Once the file is open, copy and paste the following configuration in it. The [DEFAULT] the section contains global options and [sshd] contains parameters for the sshd jail.
Fail2ban Configuration
Let’s briefly explain the options in the above configuration:
- ignoreip: specifies the list of IP addresses or hostnames not to ban.
- bantime: specified the number of seconds that a host is banned for (i.e effective ban duration).
- maxretry: specifies the number of failures before a host gets banned.
- findtime: fail2ban will ban a host if it has generated “maxretry” during the last “findtime” seconds.
- banaction: banning action.
- backend: specifies the backend used to get log file modification.
The above configuration, therefore, means if an IP has failed 3 times in the last 5 minutes, ban it for 6 hours, and ignore the IP address 192.168.56.2.
Next, start and enable the fail2ban service for now and check if it is up and running using the following systemctl command.
Start Fail2ban Service
Monitoring Failed and Banned IP Address Using fail2ban-client
After configuring fail2ban to secure sshd, you can monitor failed and banned IP addresses using the fail2ban-client. To view the current status of the fail2ban server, run the following command.
Check Fail2ban Jail Status
To monitor the sshd jail, run.
Monitor SSH Failed Logins with Fail2ban
To unban an IP address in fail2ban (in all jails and database), run the following command.
For more information on fail2ban, read the following man pages.
That sums up this guide! If you have any questions or thoughts you want to share about this topic, do not hesitate to reach us via the feedback form below.
If You Appreciate What We Do Here On TecMint, You Should Consider:
TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.
If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are thankful for your never ending support.
SSH is a good tool for you to remotely access your computer/server and make changes to it as if you are in front of the computer. If you have a SSH server, we have shown you how to generate and use a public/private key so you can connect to the remote server securely, but that doesn’t mean your SSH server is safe. On the contrary, most SSH servers are vulnerable to brute force attack and if you are not paying attention, hackers could easily hack into your server and destroy/steal everything you have.
Fail2Ban is a simple, yet useful tool that can monitor your server from malicious attack and block them before they can wreak havoc.
Installation
Fail2Ban is available in the Ubuntu repository, so you can easily install with the command:
For Red Hat or Centos users, you can install Fail2Ban via the EPEL repository.
Once you have installed Fail2Ban, the next step is to move the configuration file to a local folder so you won’t change the main configuration file accidentally.
Configuration
Once installed, Fail2Ban will automatically start to monitor your server for malicious attack. In most cases, the default settings are sufficient to protect your site, but if you have some custom server configuration (like different port for SSH access) or want to enable other services, here is how you can do so:
The configuration file is divided into different sections. The first one that you will come across is [DEFAULT].
The few parameters that you need to take note here is ignoreip , bantime and maxretry .
- ignoreip – this is the place where you whitelist the IP that you don’t want to block. The default is the localhost (127.0.0.1/8). You can add additional IPs to the field, separating each IP with a space.
- bantime – this is the amount of time in seconds to block the IP from accessing your server. The default is 10 minutes (600 seconds)
- maxretry -this is the number of failed login attempt before the IP is blocked.
There is also the destemail field where you can specify an email address for it to notify where a malicious attack is detected. One thing to note is that this will work only if you have a mail server installed.
The next section is the “Actions”.
Most of the settings here can be left default unless you want to change the banaction and protocol . The default “banaction” is via the IPTable. You can get it to use the multi-port setting or create a new IpTable for this. The default value for the “protocol” is tcp, but you can change it to udp , depending on which connection you are using.
The last part of the “Jail” section where you can configure Fail2Ban to monitor your Apache server, FTP server, mail server and DNS server.
In most cases, you just have to change the “enabled = false” setting to “enabled = true” and it will be activated for that service. If you are not using the usual port 20 for SSH, you can also change the port number in the setting above.
Once you are done with the configuration, press “Ctrl + o” to save and “ctrl + x” to exit.
Lastly, restart the Fail2Ban service with the command:
What other ways do you use to protect your SSH server?
Damien Oh started writing tech articles since 2007 and has over 10 years of experience in the tech industry. He is proficient in Windows, Linux, Mac, Android and iOS, and worked as a part time WordPress Developer. He is currently the owner and Editor-in-Chief of Make Tech Easier.
Harden your Linux server in seven easy steps.
Subscribe now
Get the highlights in your inbox every week.
This primer will introduce you to basic Linux server security. While it focuses on Debian/Ubuntu, you can apply everything presented here to other Linux distributions. I also encourage you to research this material and extend it where applicable.
1. Update your server
The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches.
On Ubuntu and Debian:
On Fedora, CentOS, or RHEL:
2. Create a new privileged user account
Next, create a new user account. You should never log into your server as root. Instead, create your own account (” “), give it sudo rights, and use it to log into your server.
Start out by creating a new user:
Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user’s group membership:
3. Upload your SSH key
You’ll want to use an SSH key to log into your new server. You can upload your pre-generated SSH key to your new server using the ssh-copy-id command:
Now you can log into your new server without having to type in a password.
4. Secure SSH
Next, make these three changes:
- Disable SSH password authentication
- Restrict root from logging in remotely
- Restrict access to IPv4 or IPv6
Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:
Next, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:
Restart the SSH service to enable your changes. Note that it’s a good idea to have two active connections to your server before restarting the SSH server. Having that extra connection allows you to fix anything should the restart go wrong.
On Fedora or CentOS or anything using Systemd:
5. Enable a firewall
Now you need to install a firewall, enable it, and configure it only to allow network traffic that you designate. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall.
You can install UFW with:
By default, UFW denies all incoming connections and allows all outgoing connections. This means any application on your server can reach the internet, but anything trying to reach your server cannot connect.
First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:
Then enable UFW:
You can see what services are allowed and denied with:
If you ever want to disable UFW, you can do so by typing:
You can also use firewall-cmd, which is already installed and integrated into some distributions.
6. Install Fail2ban
Fail2ban is an application that examines server logs looking for repeated or automated attacks. If any are found, it will alter the firewall to block the attacker’s IP address either permanently or for a specified amount of time.
You can install Fail2ban by typing:
Then copy the included configuration file:
And restart Fail2ban:
That’s all there is to it. The software will continuously examine the log files looking for attacks. After a while, the app will build up quite a list of banned IP addresses. You can view this list by requesting the current status of the SSH service with:
7. Remove unused network-facing services
Almost all Linux server operating systems come with a few network-facing services enabled. You’ll want to keep most of them. However, there are a few that you might want to remove. You can see all running network services by using the ss command:
The output from ss will differ depending on your operating system. This is an example of what you might see. It shows that the SSH (sshd) and Ngnix (nginx) services are listening and ready for connection:
How you go about removing an unused service (” “) will differ depending on your operating system and the package manager it uses.
To remove an unused service on Debian/Ubuntu:
To remove an unused service on Red Hat/CentOS:
Having a web server where your main applications are run carries with it a great responsibility. Or even if a website or other services are hosted on that server. Therefore, it is necessary to take many security measures to protect the server from intruders. Some of these security policies are difficult to implement and others very simple. With this in mind, today I will teach you how to secure a web server using Fail2ban.
Fail2ban is an application developed in Python that works as an intrusion prevention system. The application watches the number of times you try to access service within the web server and blocks the IP address from where you are making the alleged attack. For example, to access many web servers is used ssh, so this is one of the most attacked services. Then it becomes necessary to further protect that service.
In addition, Fail2ban also protects other important services such as FTP, Apache, courier among others.
So, let’s install and configure it on Ubuntu 18.04.
1. Upgrade the system
Not only is using Fail2ban a good way to protect your server, but it’s also a good way to keep your system up to date. So, run:
1. Upgrade the system
Now your upgraded system has the security patches properly installed and working.
2. Install Fail2ban on Ubuntu 18.04
The fastest and easiest way to install Fail2ban is to use the official Ubuntu repositories. So it all comes down to this command:
2.- Install Fail2ban
Once the process is finished, check the installed version.
3.- Check the fail2ban version
Finally, start and enable the service to start with the system.
It is also a good idea to check the service status.
4.- Check the service status
So, that’s it. Let’s configure it.
3. Secure a web server with Fail2ban
The configuration of Fail2ban is really simple and can be found in the text file called jail.conf located in /etc/fail2ban .
You can use this file or create a new one.
So, back up the original file.
5.- Making a back up for the configuration file
Next, open the file, delete everything and just add the following:
I’ll explain briefly the components of the file:
- ignoreip: It will never ban or block connections from those IP addresses. It is convenient to add your public IP address.
- bantime: The duration of the ban expressed in seconds. 600 = 10 minutes.
- Maxretry: Maximum permitted attempts.
- Action: what the program will do to secure a web server.
Restart the service:
7.- Restart the service
4. Final configurations
You can also check the Fail2ban log.
8.- Fail2ban log
Now, when somebody fails the authentication three times will be banned.
Conclusion
Protecting your server from a brute force attack is possible with Fail2ban. The best of all is that it is a very simple process and very useful for everything that can avoid us.
This article demonstrates how to install and configure fail2ban to help secure a server. With fail2ban, you can configure your server to automatically block IP addresses that engage in suspicious activity.
About fail2ban
The fail2ban application monitors server log files for intrusion attempts and other suspicious activity. After a predefined number of failures from a host, fail2ban blocks its IP address automatically for a specific duration.
With fail2ban, you can help secure your server against unauthorized access attempts. It is particularly effective in reducing the risk from scripted attacks and botnets.
Installing fail2ban
To install the fail2ban package for your Linux distribution:
For Debian and Ubuntu, type the following command:
For CentOS and Fedora, type the following command:
Configuring fail2ban
After you install fail2ban, you are ready to configure it. To do this, follow these steps:
- Log in to your server using SSH.
- At the command prompt, type the following command:
Locate the [DEFAULT] section, which contains the following global options:
- ignoreip: This option enables you to specify IP addresses or hostnames that fail2ban will ignore. For example, you could add your home or office IP address so fail2ban does not prevent you from accessing your own server. To specify multiple addresses, separate them with a space. For example:
- bantime: This option defines in seconds how long an IP address or host is banned. The default is 600 seconds (10 minutes).
- maxretry: This option defines the number of failures a host is allowed before it is banned.
- findtime: This option is used together with the maxretry option. If a host exceeds the maxretry setting within the time period specified by the findtime option, it is banned for the length of time specified by the bantime option.
With fail2ban’s global options configured, you are now ready to enable and disable jails for the specific protocols and services you want to protect. By default, fail2ban monitors SSH login attempts (you can search for the [ssh-iptables] section in the jail.local file to view the specific settings for the SSH jail).
To restart the fail2ban service and load the new configuration, type the following command:
To display a list of IP addresses currently banned by fail2ban, type the following command:
For example, the following line shows an IP address that the SSH jail has banned:
Installing fail2ban in Ubuntu is really simple. Its just an apt-get install command away.
#sudo apt-get update
#sudo apt-get install fail2ban
As fail2ban package is not by default available in Centos yum repository, the first step that we need to do is to install EPEL yum repository. Which is quite simple (as shown below)
Centos 6:
#sudo yum install fail2ban
Centos 7: For centos 7 the epel repository is different, which can be installed as shown below.
#sudo yum install fail2ban
The first step while configuring fail2ban is to copy an example configuration file to another file, so that fail2ban can use it.
#sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The initial section of the configuration file consists of the below settings.
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
As mentioned earlier, the first “ignoreip” setting lets you define a set of ip addresses or CIDR form subnets that won’t be blocked(you can specify multiple addresses and CIDRs separated by space)
“bantime”, is the number of seconds that a particular source address will be blocked.
“findtime” defines the amount of time in seconds a particular source address completes “maxretry” attempts to be considered for block.
In our example configuration above, if a source address fails to authenticate 3 times in 10 minutes, then it will be blocked.
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
The above settings are pretty straight forward as well. As mentioned earlier, you can configure fail2ban to send email alerts on each block. The above parameters in the config file defines the email settings for sending alerts. “destemail” defines the target email address where the alert should be sent. “sendername” defines the “From” field of the email that goes out as alerts. And “mta” ofcourse defines the mail server type.
Then comes the “action” section. This section defines the kind of action that fail2ban will take on finding an offending ip.
action = %(action_)s
The default above action setting is to only block. You can change the above to the below for sending an email report with the source address that was blocked, along with whois report of the ip address being blocked.
action = %(action_mw)s
However, using the below line for default action instead will also send relevant log lines as well.
action = %(action_mwl)s
The comes different sections for different services. Like SSH, FTP, HTTP, MAIL, etc.
By default only SSH section is enabled in fail2ban configuration (shown below)
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Note the “enabled = true” option. Also logpath defines the log file of ssh which fail2ban will be monitoring for catching malicious login attempts.
You might be thinking that how does fail2ban detect and identify failure messages from log files for blocking the malicious sources. This is actually done by different regular expressions that fail2ban will be looking for in the log files to be considered as bad.
For each and every service, there is a set of regular expressions that fail2ban will be looking for. Let’s say for example the below log message from ssh log indicate a failure login attempt.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Which clearly matches the regular expressions defined for ssh in fail2ban configuration file (“/etc/fail2ban/filter.d/sshd.conf”
). There are different regular expressions defined for different services under /etc/fail2ban/filter.d directory.
You can pretty much configure all standard services to be monitored by fail2ban. Like Apache, Nginx etc.
Once you have updated the required service specific section in fail2ban configuration, you can simply restart the service for changes to take effect.
Make sure that the services that you have enabled in jail.local, has relevant log file present, else it will throw the below error during restart.
* Restarting authentication failure monitor fail2ban ERROR No file(s) found for glob /var/log/apache*/*error.log
ERROR Failed during configuration: Have not found any log file for apache jail [fail]
You can restart fail2ban as shown below.
Centos 6:
service fail2ban restart
Centos 7:
systemctl restart fail2ban.service
Ubuntu:
service fail2ban restart
Once restarted, you should be able to see some new iptable chains as shown below(you can see them using “#iptables -L” command).
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain fail2ban-nginx-http-auth (1 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all — anywhere anywhere
If you want to test this, you can simply purposely try wrong password to authenticate to this server’s ssh server (once you cross the 3 attempts, we defined in jail.local, that source address will be blocked, and you will be able to see an iptable rule that looks something like the below.)
REJECT all — 222.186.21.234 anywhere reject-with icmp-port-unreachable
The above rule will be inside fail2ban-SSH iptable chain. Hope this article was helpful in understanding fail2ban and getting it configured in Linux.
Written by Guillermo Garron
Date: 2011-05-29 10:36:30 00:00
DOS attack
Denial of service attacks are meant to load a server to a level where it can’t serve the intended users with the service, we will here see a method to avoid that.
Install fail2ban
You can install it using your distribution package manager in case of Debian or Ubuntu run:
as root, or with sudo in Ubuntu’s case.
and So on, depending on the distribution you are using, now to configure it, consider that there are two main configuration files:
- /etc/fail2ban/fail2ban.conf
- /etc/fail2ban/jail.conf
I’m going to copy this from other article here in Go2linux.
enabled
Defines whether or not a given section is enabled or nor, its possible values are:
- false
- true
filter
This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:
- sshd
- proftpd
- httpd
basically it is how the service is identified on the log file being parsed
action
This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.
logpath
With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:
- Fedora -> /var/log/secure
- CentOS -> /var/log/secure
- Debian -> /var/log/auth
- Ubuntu -> /var/log/auth
- Sabayon -> /var/log/messages
If you put a wrong value here, it will not work and will give you no errors.
ignoreip
This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care
maxretry
This option is used to set the limit of retries a user have before he gets blocked
bantime
This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends
destmail
Use this option to set the email of the person who should receive alerts when an IP is banned
banaction
Use this option to instruct with action will be taking in order to ban an offending IP. ie:
- iptables — To use Iptables in order to ban the offending IP
- iptables-new — To ban only new connections
- iptables-multiport — To ban all ports from the offending IP
- shorewall — To use Shorewall instead of Iptables
Protocol
Set here the default protocol to ban, TCP or UDP You can read more at: How to configure fail2ban
How to use fail2ban to protect Apache / Nginx / Varnis / Squid / lighthttpd
As you can see, this method will work for any server you have in front of your real web server, or to the actual web server itself, actually this will mainly protect your port 80.
Consider that you will have to adjust the path to your web server, I’ll use varnish in my case.
Edit your /etc/fail2ban/jail.conf file and add this section:
Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:
Be sure to adjust maxretry and findtime to some values that fits your needs.
- maxretry Is the maximum times of tries before the originating IP gets blocked.
- findtiem Is the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.
As you can see in my example, I have set up 300 maxretry and 300 for findtime, so, we need to have 300 GETs from the same IP in a time window of 300 seconds to have the originating IP blocked.
Consider that you will have one GET for each css, js, html, ico and other files that are part of your webpage, so if you have 20 components, some client needs only to load 15 pages in 5 minutes to get blocked. Be sure to adjust those values to fit your needs.
Conclusion
DOS are common ways to attack web server, there are lots of ways to protect your server against that, this is only one of them, be sure to check /var/log/fail2ban.log file to be sure everything is working, and also run this command from time to time: iptables -L to see which IPs are blocked.
One last note, I’m using varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid command to have varnish logs available for this.
If you enjoyed the article, please share it
In this article, you will learn how to install Fail2Ban on CentOS 7 – one of the most effective ways to ensure the safety of your server.
A server is never completely safe from online attacks, no matter how secure it is by default. Therefore, it is important to improve security by providing it with additional protection. That’s exactly what you can do with Fail2Ban on your VPS.
What Exactly is Fail2Ban?
Fail2Ban is a software that protects Linux-based web servers from brute-force, dictionary, DDoS, and DOS attacks. It provides arguably the best security measures for CentOS servers.
Fail2Ban works by monitoring system logs and banning potential attackers based on multiple unsuccessful login attempts. Once unwanted access is identified, Fail2Ban will directly use iptables and firewalld to block their IP addresses.
The installation requires you to have root access to the server through an SSH client like PuTTY (Windows) or the terminal shell (macOS and Linux). If you own Hostinger’s VPS hosting, you can find your login details in the Servers tab of the hPanel.
Is everything ready? Let’s install Fail2Ban on CentOS 7.
How to Install Fail2Ban on CentOS 7?
There are three steps for installing Fail2Ban on CentOS 7 – installing the EPEL repository, copying configuration files, and configuring Fail2Ban.
1. Install the EPEL Repository
First, you have to download the EPEL (Extra Packages for Enterprise Linux) repository which has Fail2Ban for CentOS 7 included. Run the following command:
Once that is done, you can install Fail2Ban:
Secondly, don’t forget to enable and start the service by typing in these commands:
2. Copy the Configuration Files
Fail2Ban on CentOS 7 will store its configuration file in /etc/fail2ban/jail.conf. However, package upgrades can delete it. That’s why we highly suggest that you move the content to a local config file called jail.local. To do this, we’ll use the cp command:
Now you can make changes to Fail2Ban’s configuration. Any value you define in jail.local will override what is already in jail.conf.
3. Configure Fail2Ban
It is time to configure the local config file using the nano text editor:
Inside it, you will find the DEFAULT section. It contains global settings that will be applied throughout the Fail2Ban service:
Here’s a short summary of each command.
- ignoreip – Fail2Ban will not ban any IP address, CIDR mask, or DNS host that you list here. You can write more than one entry by separating them with a space.
- bantime – is how many seconds you want the hosts to be banned from accessing your server.
- findtime – the time limit in which the login must be done. If a host fails to log in several times (defined by maxretry) during this period, it will be banned.
- maxretry – the maximum number of attempts for a host to try accessing the server.
You can change the values based on your needs. Once the modifications are made, save the configuration file with the CTRL+X shortcut.
You have to restart Fail2Ban for the change to take effect:
Great! Now your Fail2Ban is up and running on your CentOS 7 server. We have got a few tips for you when using this service.
To monitor the status of Fail2Ban jails, you can use this command:
You can simply unban an IP address by entering the following line:
Remember to replace the information inside the brackets with your own.
Conclusion
Fail2Ban improves your CentOS 7 server’s security. It helps ban unwanted hosts that are trying to gain access to your server. What’s great is that it’s easy to install and configure.
We showed you how to install Fail2Ban on CentOS 7. Let’s take a look at the steps once again:
- Install the EPEL repository and Fail2Ban. Then, activate the service.
- Copy the content from the original configuration files to a local config file called jail.local.
- Configure Fail2Ban by modifying the values of ignoreip, bantime, findtime, and maxretry.
That’s it! If you have any questions, feel free to comment down below.
The Author
Edgaras is a veteran server administrator at Hostinger. He makes sure that every server runs at full throttle and has all the latest technological advancements. When he’s not working, Edgaras enjoys skiing and exploring the world.
