VCP Blog

Information Technology

How To Protect SSH with Fail2Ban on RHEL 7

Leave a comment

Overview

In this guide we will install fail2ban on a Linux based operating system. Installing and configuring fail2ban is important when your system is accessible from public network.

One of the vulnerable ports or service is “ssh” which grants access to the system, even though if the system is configured to grant access only for authorized users with sshd enabled.

This issue can be mitigated with “Fail2Ban”, wherein automatic rule will be created to block access of unsuccessful login attempts with a specific time frame.

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters.

Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set / configured amount of time or permanently.

Fail2ban can also alert you through email that an attack is occurring.

Fail2ban is primarily focused on SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.

Applies To

  • RHEL 7

Pre-Requisites

  • Python 2.6 or higher
  • epel-release repository is installed on the server.
  • To install, run the command; yum install epel-release -y

Package Install – Fail2Ban

After installing “epel-release” repository package; install fail2ban-firewalld package, run the command;

yum install fail2ban-firewalld -y

Verify Package Install – Fail2Ban

In order to verify if the package has been installed, you can run the below command; alternatively, you can verify using the command “yum history”.

rpm -qai fail2ban* | grep -E “Name|\ Install Date”

Fail2Ban – Configuration

Before we start the service starting let us look into the configuration files and its purpose.

Jail – Configuration Files Types

fail2ban has 4 configuration file types; that is responsible stored in “/etc/fail2ban/” folder. Listed below are the configuration files and its purpose.

Configuration Files

Purpose

fail2ban.conf Fail2Ban global configuration (such as logging)
filter.d/*.conf Filters specifying how to detect authentication failures
action.d/*.conf Actions defining the commands for banning and unbanning of IP address
jail.conf Jails defining combinations of Filters with Actions.

Jail Configuration Files – Parsing Order

fail2ban will parse all the configuration files in the following order; first all *.conf and subsequently *.local will be parsed.

Configuration File / Directory Parsing Order
jail.conf First Parsing File
jail.d/*.conf Files in directory; all files with extension .conf files are parsed in alphabetical order
jail.local Next Parsing File
jail.d/*.local Files in directory; all files with extension .local files are parsed in alphabetical order

jail.conf – Configuration Files

*.conf files are distributed by Fail2Ban by default located under “/etc/fail2ban/” folder. It is recommended that *.conf files should remain unchanged to ease upgrades. If needed, customizations should be provided in *.local files.

jail.local – Configuration Files

In .local files specify only the settings that you intend to change and the rest of the configuration will then come from the corresponding .conf file which is parsed first.

Configure – Enable SSH Port Monitoring

In order to monitor ssh port and ban hosts that fail to authenticate on the server. The configuration below in the file “/etc/fail2ban/jail.local” will ban the IP address for one hour who try to connect on ssh port.

Add the below entry in the fail2ban local configuration into file; vi /etc/fail2ban/jail.local

[DEFAULT]

# Ban hosts for one day:

bantime = 86400

# Monitoring SSH Service

[sshd]

enabled = true

# Ignore IP

ignoreip = 127.0.0.1/8 192.168.1.1/24 192.168.3.1/24 192.168.7.1/24

# Max Retry Times

maxretry = 3

# Find Number of attempts

findtime = 3600

Enable and Start Service – fail2ban

After adding customized configuration the “jail.local” file, enable and start “fail2ban” service, run the command;

systemctl enable fail2ban; systemctl status fail2ban -l

Next step is to start the service, to start run the command;

systemctl start fail2ban; systemctl status fail2ban -l

View Firewall Rules

After starting fail2ban service, a firewall rule will be automatically be added into “Direct interface”;
Direct Interface, which enables directly passing rules to iptables, ip6tables and ebtables.

It is primarily intended for use by applications.

The direct interface is used by adding the –direct option to the firewall-cmd command.

firewall-cmd –direct –get-all-rules

Next, to know the if jail has been configured successfully, run the command;

fail2ban-client status

You can also know the status of IP Addresses that have timed out, with “ipset” – IP sets administration tool, run the command;

ipset list fail2ban-sshd

IP Address Whitelisting

In order to add a IP Address to white-listing, add entry to the “ignoreip” attribute, to add additional new IP Address or CIDR separated by space.

ignoreip = 127.0.0.1/8 192.168.1.1/24

Banning IP Address

In order to add a IP Address to ban list, following attributes can to be customized.

Attribute Purpose
bantime The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent. The default value of 600 is set to ban an IP for a 10-minute duration.
findtime The length of time between login attempts before a ban is set. For example, if Fail2ban is set to ban an IP after five (5) failed log-in attempts, those 5 attempts must occur within the set 10-minute findtime limit. The findtime value should be a set number of seconds.
maxretry How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3.

EMail Alerts

In order to configure email alerts these attributes have to be configured, email notification will sent to destemail (recipient).

Attribute Purpose
destemail The email address where you would like to receive the emails.
sendername The name under which the email shows up.
sender The email address from which Fail2ban will send emails..

fail2ban Client – Command

fail2ban can be managed with command line, “fail2ban-client” command; listed below are the various argument’s and its purpose.

Command Purpose
start Starts the Fail2ban server and jails.
reload Reloads Fail2ban’s configuration files.
reload JAIL NAME Replaces JAIL with the name of a Fail2ban jail; this will reload the jail.
stop Terminates the server.
status Will show the status of the server, and enable jails.
status JAIL NAME Will show the status of the jail, including any currently-banned IPs.

fail2ban Client – Status

To know the current jail status, run the command;

fail2ban-client status

fail2ban Client – Status Jail Name

To know the current jail status of specific jail (name), run the command;

fail2ban-client status sshd

Service Management – fail2ban

By default after installation, fail2ban is not enabled not started automatically, so in the next steps we will enable and start the service and subsequently configure the firewall rules.

Enable Service – fail2ban

To enable daemon and start at OS startup and check the status of the service, run the command;

systemctl enable fail2ban

Start Service – fail2ban

To start the daemon and check the status of the service, run the command;

systemctl start fail2ban

Stop Service – fail2ban

To stop the daemon and check the status of the service, run the command;

systemctl stop fail2ban

Restart Service – fail2ban

To restart the daemon and check the status of the service, run the command;

systemctl restart fail2ban

Slideshare Info

A step by step guide is uploaded to slideshare.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s