How to Install Fail2ban with Firewalld on Fedora Linux

Fail2Ban is a widely-used, open-source intrusion prevention software that helps protect Linux servers from various attacks, including brute-force login attempts, DDoS attacks, and malicious bots. Fail2Ban operates by scanning log files for suspicious activity, such as multiple failed login attempts, and subsequently banning the associated IP addresses for a specified duration. By utilizing Fail2Ban, server administrators can significantly enhance the security of their Fedora Linux servers.

Some key benefits of using Fail2Ban on Fedora servers include the following:

• Automated IP banning: Fail2Ban automatically bans IP addresses after detecting a predefined number of failed login attempts, effectively mitigating the risk of brute-force attacks.
• Customizable ban duration: Administrators can configure the length of time an IP address remains banned, allowing for a tailored approach to server security.
• Extensive service support: Fail2Ban works with various services, such as SSH, Apache, Nginx, and Dovecot, providing comprehensive protection across multiple applications.
• Adaptable configuration: Fail2Ban offers a highly flexible configuration system, enabling users to create custom filters and define unique security rules for each service.
• Integration with Firewalld: Fail2Ban seamlessly integrates with the Firewalld firewall management tool, offering enhanced security and simplified configuration on Fedora systems.

Implementing Fail2Ban on your Fedora Linux server can significantly bolster its security, safeguarding your system and data from unauthorized access and malicious activity. The following guide will demonstrate how to install Fail2Ban on Fedora Linux using the command line terminal, along with example tips on configuration with Firewalld, custom filters, and Fail2Ban jails.

Prerequisites

Before you begin, ensure that you have the following:

1. A Fedora Linux system with root access.
2. A basic understanding of Linux commands and text editors.

Step 1: Install Firewalld

Before installing and configuring Fail2Ban with Firewalld, ensuring your Fedora Linux system is up-to-date is crucial. This helps prevent any conflicts or issues during the setup process.

Update your system

To update your system’s package list, open a terminal and execute the following command:

sudo dnf upgrade --refresh

The command above updates your system packages. Remember to reboot your system if there’s a significant update, such as a Linux kernel upgrade.

Install Firewalld

With your system updated, proceed to install Firewalld by running the following command:

sudo dnf install firewalld

Enable and start Firewalld

After installation, enable Firewalld to run at startup and start it immediately with this command:

sudo systemctl enable firewalld --now

Check Firewalld status

To confirm whether Firewalld is running, use the firewall-cmd --state command:

sudo firewall-cmd --state

List existing Firewalld rules

Lastly, it’s essential to familiarize yourself with Firewalld’s current rules before Fail2Ban adds any new ones. To do this, list the existing rules by running:

sudo firewall-cmd --list-all

Step 2: Install Fail2ban

With Firewalld installed and enabled, the next step is to install Fail2Ban. Fedora users benefit from a simple installation process, as Fail2Ban is available in the main Fedora repository. This ensures that you’re installing the latest version.

Install Fail2Ban and its Firewalld integration

To install Fail2Ban, execute the following command in your terminal:

sudo dnf install fail2ban fail2ban-firewalld

Check Fail2Ban version

After installation, confirm that it was successful by checking the Fail2Ban version:

fail2ban-client --version

Enable and start Fail2Ban service

Now, enable the Fail2Ban service to start immediately and run at startup using the following command:

sudo systemctl enable fail2ban --now

Check Fail2Ban service status

To verify that Fail2Ban is active and running, check its status with this command:

systemctl status fail2ban

Example output:

Step 3: Create a Fail2ban Configuration File

After installing Fail2Ban, it’s essential to set up and configure the software. Fail2Ban includes two configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf. To avoid losing your custom settings during updates, create a copy of the configuration file with a .local extension.

Create a Custom Configuration File

1. Copy the jail.conf file to jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

2. Open jail.local:

sudo nano /etc/fail2ban/jail.local

3. Locate the following lines and replace them with the corresponding Firewalld settings:

; Old code (IPTABLES)
banaction = iptables-multiport
banaction_allports = iptables-allports

; Replace with (FIREWALLD)
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

Customize Fail2Ban Settings

In this section, you’ll learn how to modify various settings in Fail2Ban, such as ban time increments, whitelisting IPs, and setting up email notifications.

Ban Time Increment

Enable the bantime.multipliers setting to increase the ban time every time an attacker returns. Uncomment and customize the line as needed:

bantime.multipliers = 1 5 30 60 300 720 1440 2880

This setting means that the ban time will start at 1 minute for the first offense, then increase to 5 minutes, 30 minutes, and so on, up to 2880 minutes (48 hours) for multiple offenses.

Whitelist IPs

To whitelist specific IP addresses or ranges, uncomment the ignoreip line and add the IPs, separated by spaces or commas:

ignoreip = 127.0.0.1/8 ::1 180.53.31.33

Default Ban Time Settings

You can set default ban time settings for various jails in the configuration file. However, it’s recommended to customize ban times for each jail individually. For example, you can set different ban times and max retries for Apache:

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

Here, the bantime is set to 1 day and maxretry is set to 3.

Email Notifications

Configure Fail2Ban to send email notifications by setting the destemail and sender options:

destemail = admin@example.com
sender = fail2ban@example.com

By default, Fail2Ban uses the sendmail MTA for email notifications. You can change this to another mail function if needed.

Additional Jails Configuration

In this section, we’ll provide examples of more customized jails for various services like Nginx, Postfix, and Dovecot.

Nginx Jail

For an Nginx server, you can set up a custom jail to block requests with a non-existent hostname:

[nginx-badhost]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 2h

Postfix Jail

To protect your Postfix mail server, you can create a jail to block IPs sending spam:

[postfix-spam]
enabled = true
port = smtp,ssmtp
logpath = /var/log/mail.log
maxretry = 5
bantime = 1h

Dovecot Jail

For a Dovecot IMAP server, you can create a jail to block IPs attempting unauthorized access:

[dovecot-auth]
enabled = true
port = imap,imaps
logpath = /var/log/dovecot.log
maxretry = 5
bantime = 1h

Restart Fail2Ban

After configuring your jails, restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

Custom Filters and Actions

In addition to the built-in filters and actions provided by Fail2Ban, you can create custom filters and actions to suit your specific needs.

Custom Filters

Filters are defined using regular expressions and are stored in the /etc/fail2ban/filter.d directory. To create a custom filter, create a new file in this directory:

sudo nano /etc/fail2ban/filter.d/mycustomfilter.conf

Add your filter definition to the file:

[Definition]
failregex = ^.*unauthorized access attempt from <HOST>.*$
ignoreregex =

The failregex line contains the regular expression that matches log entries indicating unauthorized access attempts. Replace this regular expression with the one specific to your use case. The <HOST> tag is used to extract the IP address from the log entry.

Custom Actions

Actions are stored in the /etc/fail2ban/action.d directory. To create a custom action, create a new file in this directory:

sudo nano /etc/fail2ban/action.d/mycustomaction.conf

Add your action definition to the file:

[Definition]
actionstart = /usr/local/bin/mycustomaction start <name>
actionstop = /usr/local/bin/mycustomaction stop <name>
actioncheck = /usr/local/bin/mycustomaction status <name>
actionban = /usr/local/bin/mycustomaction ban <ip>
actionunban = /usr/local/bin/mycustomaction unban <ip>

Replace /usr/local/bin/mycustomaction with the path to your custom action script. The <name>, <ip> and other parameters will be automatically replaced by Fail2Ban when the action is executed.

Putting It All Together

Once you have created your custom filters and actions, you can apply them in your jail configuration:

[mycustomjail]
enabled = true
port = 8080
logpath = /var/log/mycustomservice.log
filter = mycustomfilter
action = mycustomaction
maxretry = 3
bantime = 1h

This jail configuration will use the custom filter and action you created earlier, monitoring the /var/log/mycustomservice.log log file, and banning IPs for 1 hour after 3 failed attempts.

Don’t forget to restart Fail2Ban after making changes to your configuration:

sudo systemctl restart fail2ban

Step 4: Using Fail2ban-Client for Ban and Unban Operations

The fail2ban-client command is a useful tool for managing your Fail2Ban configuration and interacting with your jails. Some common tasks include banning and unbanning IP addresses manually.

Ban an IP address

To ban an IP address in a specific jail, use the following command:

sudo fail2ban-client set <jail-name> banip <ip-addresss>

Replace <jail-name> with the name of the jail you want to apply the ban, and <ip-address> with the IP address you want to ban. For example:

sudo fail2ban-client set apache-badbots banip 192.168.1.1

This command bans the IP address 192.168.1.1 in the apache-badbots jail.

Unban an IP address

To unban an IP address in a specific jail, use the following command:

sudo fail2ban-client set <jail-name> unbanip <ip-address>

Replace <jail-name> with the name of the jail you want to remove the ban, and <ip-address> with the IP address you want to unban. For example:

sudo fail2ban-client set apache-badbots unbanip 192.168.1.1

This command unbans the IP address 192.168.1.1 in the apache-badbots jail.

Display the list of banned IP addresses

To display the list of banned IP addresses for a specific jail, use the following command:

sudo fail2ban-client status <jail-name>

Replace <jail-name> with the name of the jail you want to check. For example:

sudo fail2ban-client status apache-badbots

This command displays the status of the apache-badbots jail, including the list of currently banned IP addresses.

Help and documentation

For additional help or information on using the fail2ban-client command, use the -h flag:

sudo fail2ban-client -h

This command displays a help menu with a list of available options and commands.

By using the fail2ban-client command, you can easily manage your jails, ban and unban IP addresses, and monitor the status of your Fail2Ban configuration.

Step 5: Verifying Firewalld and Fail2ban Integration

To ensure that Firewalld and Fail2ban are working correctly together, you can perform a simple test. By default, Firewalld should automatically ban any IP that Fail2ban identifies as malicious.

Enabling the SSHD jail for testing

Even if you are not using the SSHD jail, you can enable it temporarily to test the integration between Fail2ban and Firewalld. To do this, open the Fail2ban jail configuration file:

sudo nano /etc/fail2ban/jail.local

Find the [sshd] section and set enabled to true:

[sshd]
enabled = true

Save the file and exit the editor. Then, restart Fail2ban to apply the changes:

sudo systemctl restart fail2ban

Testing the ban functionality

Now, use the fail2ban-client command to ban an IP address in the SSHD jail manually:

sudo fail2ban-client set sshd banip 192.155.1.7

Next, use the firewall-cmd command to list the rich rules in Firewalld:

firewall-cmd --list-rich-rules

The example output should look like this:

rule family="ipv4" source address="192.155.1.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

As you can see, Fail2ban and Firewalld are working correctly together, as the IP address has been banned in both systems.

Reverting the changes

After confirming the integration, don’t forget to disable the SSHD jail if you don’t need it. Open the Fail2ban jail configuration file again:

sudo nano /etc/fail2ban/jail.local

Find the [sshd] section and set enabled back to false:

[sshd]
enabled = false

Save the file, exit the editor, and restart Fail2ban to apply the changes:

sudo systemctl restart fail2ban

Step 6: Monitor Fail2Ban Logs

Regularly check Fail2Ban logs to ensure that your jails are functioning correctly. The default log file is located at /var/log/fail2ban.log.

Watching the log file in real-time

To watch the log file in real-time, use the tail -f command:

tail -f /var/log/fail2ban.log

Displaying a specific number of lines from the log file

To print the last X number of lines from the log file, use the -n flag:

tail -f /var/log/fail2ban.log -n 30

This command will display the last 30 lines of the log file. Replace 30 with the desired number of lines.

Searching the log file for specific keywords or IP addresses

You can also use grep to search the log file for specific keywords or IP addresses:

grep '192.168.1.1' /var/log/fail2ban.log

This command will display log entries containing the IP address 192.168.1.1.

Additional Tips

How to Remove (Uninstall) Fail2ban on Fedora

If you no longer require Fail2Ban, to remove it from your system, use the following command:

sudo dnf autoremove fail2ban fail2ban-firewalld

Note, this will also remove all the unused dependencies installed with Fail2Ban.

Conclusion

By following these steps, you have successfully installed and configured Fail2Ban with Firewalld on your Fedora Linux system. Your server is now better protected against brute-force attacks and unauthorized access.

Additional Resources and Relevant Links

To further enhance your knowledge of Fail2Ban, Firewalld, and Fedora Linux security, check out the following resources:

• Official Fail2Ban Documentation: The official Fail2Ban documentation provides comprehensive installation, configuration, and usage information. Fail2Ban Documentation
• Official Firewalld Documentation: The official Firewalld documentation offers detailed guides and examples to help you understand and configure Firewalld. Firewalld Documentation
• Fedora Linux Documentation: The Fedora Linux official documentation is a valuable resource for learning about various aspects of the Fedora Linux operating system. Fedora Linux Documentation
• Fail2Ban and Firewalld on Reddit: The Linux, sysadmin, and cybersecurity communities on Reddit often discuss Fail2Ban and Firewalld, offering valuable insights, tips, and troubleshooting advice. r/linux, r/sysadmin, and r/netsec
• Stack Overflow and Server Fault: Stack Overflow and Server Fault are excellent platforms for asking questions and finding solutions related to Fail2Ban, Firewalld, and Fedora Linux. Stack Overflow, Server Fault
• Fedora Linux Forums: The Fedora Linux forums are a great place to ask questions, share experiences, and learn from fellow Fedora Linux users. Fedora Linux Forums.