Fail2Ban is a widely-used, open-source intrusion prevention software that helps protect Linux servers from various attacks, including brute-force login attempts, DDoS attacks, and malicious bots. Fail2Ban operates by scanning log files for suspicious activity, such as multiple failed login attempts, and subsequently banning the associated IP addresses for a specified duration. By utilizing Fail2Ban, server administrators can significantly enhance the security of their Fedora Linux servers.
Some key benefits of using Fail2Ban on Fedora servers include the following:
- Automated IP banning: Fail2Ban automatically bans IP addresses after detecting a predefined number of failed login attempts, effectively mitigating the risk of brute-force attacks.
- Customizable ban duration: Administrators can configure the length of time an IP address remains banned, allowing for a tailored approach to server security.
- Extensive service support: Fail2Ban works with various services, such as SSH, Apache, Nginx, and Dovecot, providing comprehensive protection across multiple applications.
- Adaptable configuration: Fail2Ban offers a highly flexible configuration system, enabling users to create custom filters and define unique security rules for each service.
- Integration with Firewalld: Fail2Ban seamlessly integrates with the Firewalld firewall management tool, offering enhanced security and simplified configuration on Fedora systems.
Implementing Fail2Ban on your Fedora Linux server can significantly bolster its security, safeguarding your system and data from unauthorized access and malicious activity. The following guide will demonstrate how to install Fail2Ban on Fedora Linux using the command line terminal, along with example tips on configuration with Firewalld, custom filters, and Fail2Ban jails.
Table of Contents
Prerequisites
Before you begin, ensure that you have the following:
- A Fedora Linux system with root access.
- A basic understanding of Linux commands and text editors.
Step 1: Install Firewalld
Before installing and configuring Fail2Ban with Firewalld, ensuring your Fedora Linux system is up-to-date is crucial. This helps prevent any conflicts or issues during the setup process.
Update your system
To update your system’s package list, open a terminal and execute the following command:
sudo dnf upgrade --refresh
The command above updates your system packages. Remember to reboot your system if there’s a significant update, such as a Linux kernel upgrade.
Install Firewalld
With your system updated, proceed to install Firewalld by running the following command:
sudo dnf install firewalld
Enable and start Firewalld
After installation, enable Firewalld to run at startup and start it immediately with this command:
sudo systemctl enable firewalld --now
Check Firewalld status
To confirm whether Firewalld is running, use the firewall-cmd --state
command:
sudo firewall-cmd --state
List existing Firewalld rules
Lastly, it’s essential to familiarize yourself with Firewalld’s current rules before Fail2Ban adds any new ones. To do this, list the existing rules by running:
sudo firewall-cmd --list-all
Step 2: Install Fail2ban
With Firewalld installed and enabled, the next step is to install Fail2Ban. Fedora users benefit from a simple installation process, as Fail2Ban is available in the main Fedora repository. This ensures that you’re installing the latest version.
Install Fail2Ban and its Firewalld integration
To install Fail2Ban, execute the following command in your terminal:
sudo dnf install fail2ban fail2ban-firewalld
Check Fail2Ban version
After installation, confirm that it was successful by checking the Fail2Ban version:
fail2ban-client --version
Enable and start Fail2Ban service
Now, enable the Fail2Ban service to start immediately and run at startup using the following command:
sudo systemctl enable fail2ban --now
Check Fail2Ban service status
To verify that Fail2Ban is active and running, check its status with this command:
systemctl status fail2ban
Example output:
Step 3: Create a Fail2ban Configuration File
After installing Fail2Ban, it’s essential to set up and configure the software. Fail2Ban includes two configuration files: /etc/fail2ban/jail.conf
and /etc/fail2ban/jail.d/00-firewalld.conf
. To avoid losing your custom settings during updates, create a copy of the configuration file with a .local
extension.
Create a Custom Configuration File
- Copy the
jail.conf
file tojail.local
:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Open
jail.local
:
sudo nano /etc/fail2ban/jail.local
- Locate the following lines and replace them with the corresponding Firewalld settings:
; Old code (IPTABLES)
banaction = iptables-multiport
banaction_allports = iptables-allports
; Replace with (FIREWALLD)
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]
Customize Fail2Ban Settings
In this section, you’ll learn how to modify various settings in Fail2Ban, such as ban time increments, whitelisting IPs, and setting up email notifications.
Ban Time Increment
Enable the bantime.multipliers
setting to increase the ban time every time an attacker returns. Uncomment and customize the line as needed:
bantime.multipliers = 1 5 30 60 300 720 1440 2880
This setting means that the ban time will start at 1 minute for the first offense, then increase to 5 minutes, 30 minutes, and so on, up to 2880 minutes (48 hours) for multiple offenses.
Whitelist IPs
To whitelist specific IP addresses or ranges, uncomment the ignoreip
line and add the IPs, separated by spaces or commas:
ignoreip = 127.0.0.1/8 ::1 180.53.31.33
Default Ban Time Settings
You can set default ban time settings for various jails in the configuration file. However, it’s recommended to customize ban times for each jail individually. For example, you can set different ban times and max retries for Apache:
[apache-noscript]
enabled = true
port = http,https
logpath = %(apache_error_log)s
bantime = 1d
maxretry = 3
Here, the bantime
is set to 1 day and maxretry
is set to 3.
Email Notifications
Configure Fail2Ban to send email notifications by setting the destemail
and sender
options:
destemail = admin@example.com
sender = fail2ban@example.com
By default, Fail2Ban uses the sendmail
MTA for email notifications. You can change this to another mail function if needed.
Additional Jails Configuration
In this section, we’ll provide examples of more customized jails for various services like Nginx, Postfix, and Dovecot.
Nginx Jail
For an Nginx server, you can set up a custom jail to block requests with a non-existent hostname:
[nginx-badhost]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 2h
Postfix Jail
To protect your Postfix mail server, you can create a jail to block IPs sending spam:
[postfix-spam]
enabled = true
port = smtp,ssmtp
logpath = /var/log/mail.log
maxretry = 5
bantime = 1h
Dovecot Jail
For a Dovecot IMAP server, you can create a jail to block IPs attempting unauthorized access:
[dovecot-auth]
enabled = true
port = imap,imaps
logpath = /var/log/dovecot.log
maxretry = 5
bantime = 1h
Restart Fail2Ban
After configuring your jails, restart Fail2Ban to apply the changes:
sudo systemctl restart fail2ban
Custom Filters and Actions
In addition to the built-in filters and actions provided by Fail2Ban, you can create custom filters and actions to suit your specific needs.
Custom Filters
Filters are defined using regular expressions and are stored in the /etc/fail2ban/filter.d
directory. To create a custom filter, create a new file in this directory:
sudo nano /etc/fail2ban/filter.d/mycustomfilter.conf
Add your filter definition to the file:
[Definition]
failregex = ^.*unauthorized access attempt from <HOST>.*$
ignoreregex =
The failregex
line contains the regular expression that matches log entries indicating unauthorized access attempts. Replace this regular expression with the one specific to your use case. The <HOST>
tag is used to extract the IP address from the log entry.
Custom Actions
Actions are stored in the /etc/fail2ban/action.d
directory. To create a custom action, create a new file in this directory:
sudo nano /etc/fail2ban/action.d/mycustomaction.conf
Add your action definition to the file:
[Definition]
actionstart = /usr/local/bin/mycustomaction start <name>
actionstop = /usr/local/bin/mycustomaction stop <name>
actioncheck = /usr/local/bin/mycustomaction status <name>
actionban = /usr/local/bin/mycustomaction ban <ip>
actionunban = /usr/local/bin/mycustomaction unban <ip>
Replace /usr/local/bin/mycustomaction
with the path to your custom action script. The <name>
, <ip>
and other parameters will be automatically replaced by Fail2Ban when the action is executed.
Putting It All Together
Once you have created your custom filters and actions, you can apply them in your jail configuration:
[mycustomjail]
enabled = true
port = 8080
logpath = /var/log/mycustomservice.log
filter = mycustomfilter
action = mycustomaction
maxretry = 3
bantime = 1h
This jail configuration will use the custom filter and action you created earlier, monitoring the /var/log/mycustomservice.log
log file, and banning IPs for 1 hour after 3 failed attempts.
Don’t forget to restart Fail2Ban after making changes to your configuration:
sudo systemctl restart fail2ban
Step 4: Using Fail2ban-Client for Ban and Unban Operations
The fail2ban-client
command is a useful tool for managing your Fail2Ban configuration and interacting with your jails. Some common tasks include banning and unbanning IP addresses manually.
Ban an IP address
To ban an IP address in a specific jail, use the following command:
sudo fail2ban-client set <jail-name> banip <ip-addresss>
Replace <jail-name>
with the name of the jail you want to apply the ban, and <ip-address>
with the IP address you want to ban. For example:
sudo fail2ban-client set apache-badbots banip 192.168.1.1
This command bans the IP address 192.168.1.1
in the apache-badbots
jail.
Unban an IP address
To unban an IP address in a specific jail, use the following command:
sudo fail2ban-client set <jail-name> unbanip <ip-address>
Replace <jail-name>
with the name of the jail you want to remove the ban, and <ip-address>
with the IP address you want to unban. For example:
sudo fail2ban-client set apache-badbots unbanip 192.168.1.1
This command unbans the IP address 192.168.1.1
in the apache-badbots
jail.
Display the list of banned IP addresses
To display the list of banned IP addresses for a specific jail, use the following command:
sudo fail2ban-client status <jail-name>
Replace <jail-name>
with the name of the jail you want to check. For example:
sudo fail2ban-client status apache-badbots
This command displays the status of the apache-badbots
jail, including the list of currently banned IP addresses.
Help and documentation
For additional help or information on using the fail2ban-client
command, use the -h
flag:
sudo fail2ban-client -h
This command displays a help menu with a list of available options and commands.
By using the fail2ban-client
command, you can easily manage your jails, ban and unban IP addresses, and monitor the status of your Fail2Ban configuration.
Step 5: Verifying Firewalld and Fail2ban Integration
To ensure that Firewalld and Fail2ban are working correctly together, you can perform a simple test. By default, Firewalld should automatically ban any IP that Fail2ban identifies as malicious.
Enabling the SSHD jail for testing
Even if you are not using the SSHD jail, you can enable it temporarily to test the integration between Fail2ban and Firewalld. To do this, open the Fail2ban jail configuration file:
sudo nano /etc/fail2ban/jail.local
Find the [sshd]
section and set enabled
to true
:
[sshd]
enabled = true
Save the file and exit the editor. Then, restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
Testing the ban functionality
Now, use the fail2ban-client
command to ban an IP address in the SSHD jail manually:
sudo fail2ban-client set sshd banip 192.155.1.7
Next, use the firewall-cmd
command to list the rich rules in Firewalld:
firewall-cmd --list-rich-rules
The example output should look like this:
rule family="ipv4" source address="192.155.1.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
As you can see, Fail2ban and Firewalld are working correctly together, as the IP address has been banned in both systems.
Reverting the changes
After confirming the integration, don’t forget to disable the SSHD jail if you don’t need it. Open the Fail2ban jail configuration file again:
sudo nano /etc/fail2ban/jail.local
Find the [sshd]
section and set enabled
back to false
:
[sshd]
enabled = false
Save the file, exit the editor, and restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
Step 6: Monitor Fail2Ban Logs
Regularly check Fail2Ban logs to ensure that your jails are functioning correctly. The default log file is located at /var/log/fail2ban.log
.
Watching the log file in real-time
To watch the log file in real-time, use the tail -f
command:
tail -f /var/log/fail2ban.log
Displaying a specific number of lines from the log file
To print the last X number of lines from the log file, use the -n
flag:
tail -f /var/log/fail2ban.log -n 30
This command will display the last 30 lines of the log file. Replace 30
with the desired number of lines.
Searching the log file for specific keywords or IP addresses
You can also use grep
to search the log file for specific keywords or IP addresses:
grep '192.168.1.1' /var/log/fail2ban.log
This command will display log entries containing the IP address 192.168.1.1
.
Additional Tips
How to Remove (Uninstall) Fail2ban on Fedora
If you no longer require Fail2Ban, to remove it from your system, use the following command:
sudo dnf autoremove fail2ban fail2ban-firewalld
Note, this will also remove all the unused dependencies installed with Fail2Ban.
Conclusion
By following these steps, you have successfully installed and configured Fail2Ban with Firewalld on your Fedora Linux system. Your server is now better protected against brute-force attacks and unauthorized access.
Additional Resources and Relevant Links
To further enhance your knowledge of Fail2Ban, Firewalld, and Fedora Linux security, check out the following resources:
- Official Fail2Ban Documentation: The official Fail2Ban documentation provides comprehensive installation, configuration, and usage information. Fail2Ban Documentation
- Official Firewalld Documentation: The official Firewalld documentation offers detailed guides and examples to help you understand and configure Firewalld. Firewalld Documentation
- Fedora Linux Documentation: The Fedora Linux official documentation is a valuable resource for learning about various aspects of the Fedora Linux operating system. Fedora Linux Documentation
- Fail2Ban and Firewalld on Reddit: The Linux, sysadmin, and cybersecurity communities on Reddit often discuss Fail2Ban and Firewalld, offering valuable insights, tips, and troubleshooting advice. r/linux, r/sysadmin, and r/netsec
- Stack Overflow and Server Fault: Stack Overflow and Server Fault are excellent platforms for asking questions and finding solutions related to Fail2Ban, Firewalld, and Fedora Linux. Stack Overflow, Server Fault
- Fedora Linux Forums: The Fedora Linux forums are a great place to ask questions, share experiences, and learn from fellow Fedora Linux users. Fedora Linux Forums.