Install Fail2ban with Firewalld on Fedora Linux 35

Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more. Fail2ban achieves this by reading access/error logs of your server or web applications. Fail2ban is coded in the python programming language.

The following tutorial will teach you how to install Fail2ban on Fedora 35 Workstation or Server and some basic setup and tips.

Prerequisites

  • Recommended OS: Fedora Linux 35.
  • User account: A user account with sudo or root access.

Update Operating System

Update your Fedora operating system to make sure all existing packages are up to date:

sudo dnf upgrade --refresh -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:


sudo whoami

Example output showing sudo status:

[joshua@fedora ~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Fedora.

To use the root account, use the following command with the root password to log in.

su

Install Dependency Required

Before you proceed with the installation, run the following command to install or check that the package dnf-plugins-core is installed on your Fedora desktop.

sudo dnf install dnf-plugins-core -y

By default, this should be installed.

The tutorial will utilize the terminal, which can be found in your show applications menu.


Example:

How to Install Fail2ban with Firewalld on Fedora 35

Install & Configure Firewalld

By default, Fedora comes with firewalld installed. To verify this, use the following command:

dnf info firewalld

Example output:

How to Install Fail2ban with Firewalld on Fedora 35

As you can see, this is installed on Fedora by default; also, it should be automatically enabled on your system.

To confirm this, use the following systemctl command:

systemctl status firewalld

Example output:


How to Install Fail2ban with Firewalld on Fedora 35

Another handy trick with firewalld is to use the firewall-cmd –state command to verify if running or not:

sudo firewall-cmd --state

Example output:

running

If your firewalld is switched off, to start it use the following:

sudo systemctl start firewalld

To re-enable it to start on system boot, use the following:

sudo systemctl enable firewalld

Example output if successful:

Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

If your firewall has been removed, you can re-install firewalld with the following command:


sudo dnf install firewalld

Finally, to verify the current rules before any new ones are added by fail2ban, list the existing ones to get familiar with firewalld:

sudo firewall-cmd --list-all

Install Fail2ban on Fedora

The next part of the tutorial is installing fail2ban and the addition package fail2ban-firewalld, which will correctly configure Fail2ban to work with firewalld for future use.

sudo dnf install fail2ban fail2ban-firewalld

Example output:

How to Install Fail2ban with Firewalld on Fedora 35

TYPE Y, then press the ENTER KEY to proceed with the installation.

By default, fail2ban will not be active, so you must start it manually with the following systemctl command:

sudo systemctl enable fail2ban --now

Verify the status with the following command:


sudo systemctl status fail2ban

Example output:

How to Install Fail2ban with Firewalld on Fedora 35

Lastly, verify the version and build of fail2ban:

fail2ban-client --version

Example output:

Fail2Ban v0.11.2

How to Configure Fail2ban

After completing the installation, the next step is setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and the default fail2ban jail /etc/fail2ban/jail.d/00-firewalld.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

Now you may wonder how you set up Fail2ban if you update and lose your settings. Simple, we create copies ending in .local instead of .conf as fail2ban will always read .local files first before loading .conf.

To do this, use the following commands.


sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

By default, jail.local is set up to use IPTABLES. To keep things simple, instead of using the 00-firewalld.conf/jail and creating your rules from scratch, open jail.local and go to line 208 and replace:

Open jail.local:

sudo nano /etc/fail2ban/jail.local

Find Old code (IPTABLES):

banaction = iptables-multiport
banaction_allports = iptables-allports

Replace with (FIREWALLD):

banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

Next, the tutorial will run over some settings that you can use or modify to your liking. Note that most settings are commented out; the tutorial will uncomment the lines in question or modify the existing ones in the example settings.

Remember, these are optional settings, and you can set whatever you like if you know more about fail2ban and have the confidence.


Ban Time Increment

The first setting you will come across is Ban time increments. You should enable this every time the attacker returns. It will increase the ban time, saving your system from constantly re-banning the same IP if your ban time lengths are minor; for example, 1 hour, you would want this to be longer if the attacker returns x5 times.

The tutorial recommends uncommenting the following multiplier line for a good range of continual banning of malicious IP addresses to keep the list growing too large on infrequent attackers.

# following example can be used for small initial ban time (bantime=60) - it gr>
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1>


bantime.multipliers = 1 5 30 60 300 720 1440 2880  ## UNCOMMENT THIS LINE##

This is the most effective at short ban times then increasing, but you can change these numbers or even pick another multiplier system altogether in the configuration.

Whitelist IPs in Fail2ban

Next in the list, we come across whitelisting options, uncomment the following and address any IP addresses you want to be whitelisted.

ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)

Make sure to space or comma between the IP addresses. You can whitelist IP ranges as well.

Default Ban Time Set-Up

Ban time defaults are 10 minutes with 10 minutes finder on 5 retries. An explanation of this is Fail2ban jail with filtering will ban your attacker for 10 minutes after it has retried the same attack in 10 minutes (find time) x 5 times (retries). You can set some default ban settings here.


However, when you get to jails, it’s advised to set different ban times as some banning should automatically be longer than others, including retries that should be less or more.

E-Mail set up with Fail2ban

You can set an e-mail address for Fail2ban to send reports. The default action = %(action_mw)s that bans the offending IP and sends an e-mail with a whois report for you to review. However, in your action.d folder, other e-mail options exist for reporting to not only yourself but sending out e-mails to blacklist providers and the attacker’s ISP to report.

Example below:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = admin@example.com

# Sender e-mail address used solely for some actions
sender = fail2ban@example.com

Note, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:

Change from:

mta = sendmail

Change to:


mail = sendmail

Fail2ban Jails

Next, we come to jails. You can set pre-defined jails with filters and actions created by the community covering many popular server applications. You can make custom jails or find external ones on various gists and community websites; however, we will set up the default Fail2ban package jails.

Default set up for all the jails as per the picture below. Notice how nothing is enabled.

Example below:

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

So, we have an Apache 2 HTTP server, and like filter/ban bad bots, all you need to do is add enabled = true as the example below.

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Notice how the max retry equals 1, and the ban time is 48H. This is an individual max retry and bans length setting for this jail that will automatically increase with the ban multiplier we set up earlier in the guide. If any of the filters are missing, you can add them as an example.

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s

Change above the following example below:


[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

Next, you would like to have different actions than specified in your default set up in /etc/fail2ban/jail.local, additional actions you can find in action.d directory. Different actions from this directory can be easily set up by following directions inside those action configuration lines in the files, remembering to rename them first to .jail over .conf, and then adding the following to your jail setup.

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
cloudflare
bantime = 72h
maxretry = 1

As you above, the example added action_mw, so it automatically bans as per our default action and emails us a report with whois, then the following action, if you use Cloudflare, it will ban the IP address on the Cloudflare service as well.

Remember, Cloudflare needs setting up before use. Read the action.d file cloudflare.conf.

Once you are happy with your set-up, do the following command to restart fail2ban to load your new jails.

sudo systemctl restart fail2ban

Examples of using Fail2ban-client

Now that you are up and running with Fail2ban, you need to know some basic operating commands. We do this by using the fail2ban-client command. You may need to have sudo privileges, depending on your setup.

Ban an IP address:


sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Command to bring up the help menu if you need to find additional settings or get help on a particular one.

sudo fail2ban-client -h

Checking Firewalld and Fail2ban

By default, firewalld should be configured to automatically be banning any IP that fail2ban actions a ban on. To see if this is indeed working correctly, use the following command:

A quick test is the located in your jail [SSHD] and placing enabled = true even if you are not using this jail as it is just a test then using the following ban command:

sudo fail2ban-client set sshd banip 192.155.1.7

Now list the firewall list rich rules as follows:

firewall-cmd --list-rich-rules

Example output:


rule family="ipv4" source address="192.155.1.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

As you can see, fail2ban and firewalld are working correctly for a live environment.

How to Monitor Fail2ban Logs

Many common mistakes are setting up jails and walking away without testing or monitoring them. Reviewing logs is essential, which the fail2ban log is in its default path /var/log/fail2ban.log.

If you have a server receiving decent traffic, an excellent command to watch live to see any issues and keep an eye on it as you work in other servers is to use the tail -f command below.

tail -f /var/log/fail2ban.log

The command can come in handy for spot-checking without diving into logging.

Another option is to print the last X amount of lines. For example, X is replaced with 30 to print 30 lines by adding the -n 30 flag.

tail -f /var/log/fail2ban.log -n 30

These are just some examples of reading logs, and grep can also be helpful.


How to Remove (Uninstall) Fail2ban

If you no longer require Fail2ban, to remove it from your system, use the following command:

sudo dnf autoremove fail2ban fail2ban-firewalld

Note, this will also remove all the unused dependencies installed with Fail2ban.

Comments and Conclusion

The tutorial has shown you the basics of installing Fail2ban on the Fedora 35 system and setting up some jails with the filters available.

Overall, Fail2ban is a potent tool when configured and maintained correctly, and you can set it up in many different ways from what the tutorial has shown. All servers or desktops require different settings and configurations. Fail2ban is actively developed and is a solid choice to deploy on your server in these times where attacks are becoming so frequent.

For further information, visit the Fail2ban official documentation.


Not what you were looking for? Try searching for additional tutorials.

Leave a Comment