How to Install Fail2ban with Firewalld on Rocky Linux 8

Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more. Fail2ban achieves this by reading access/error logs of your server or web applications. Fail2ban is coded in the python programming language.

The following tutorial will teach you how to install Fail2ban on Rocky Linux 8 and basic setup and tips.

Prerequisites

  • Recommended OS: Rocky Linux 8.+.
  • User account: A user account with sudo or root access.

Update Operating System

Update your Rocky Linux operating system to make sure all existing packages are up to date:

sudo dnf upgrade --refresh -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@rockylinux ~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on Rocky Linux.

To use the root account, use the following command with the root password to log in.

su

Install EPEL Repository

The first step is to import the repository from EPEL (Extra Packages for Enterprise Linux) as follows:

sudo dnf install epel-release

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

It is always a good idea to verify if the repository was added successfully; this can be done with the dnf repolist command as below:

sudo dnf repolist

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

As you can see, the EPEL repository is added correctly. Handy hint, you can reuse this command to see any future repository imports.

Configure Firewalld

By default, Rocky Linux 8 comes with firewalld installed. To verify this, use the following command:

sudo dnf info firewalld

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

As you can see, this is installed on Rocky Linux 8 by default; also, it should be automatically enabled on your system.

To confirm this, use the following systemctl command:

sudo systemctl status firewalld

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Another handy trick with firewalld is to use the firewall-cmd –state command to verify if running or not:

sudo firewall-cmd --state

Example output:

running

If your firewalld is switched off, to start it use the following:

sudo systemctl start firewalld

To re-enable it to start on system boot, use the following:

sudo systemctl enable firewalld

Example output if successful:

Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

If your firewall has been removed, you can re-install firewalld with the following command:

sudo dnf install firewalld

Finally, to verify the current rules before any new ones are added by fail2ban, list the existing ones to get familiar with firewalld:

sudo firewall-cmd --list-all

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Install Fail2ban

Now that you have the EPEL repository installed, it is time to install fail2ban and the addition package fail2ban-firewalld, which will correctly configure Fail2ban to work with firewalld for future use.

sudo dnf install fail2ban fail2ban-firewalld

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Type “Y,” then press the “ENTER KEY” to proceed with the installation.

By default, fail2ban will not be active, so you must start it manually with the following systemctl command:

sudo systemctl start fail2ban

Then to enable fail2ban on system boot, use the following:

sudo systemctl enable fail2ban

Verify the status with the following command:

sudo systemctl status fail2ban

Example output:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Lastly, verify the version and build of fail2ban:

fail2ban-client --version

Example output:

Fail2Ban v0.11.2

Configure Fail2ban

After completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and the default fail2ban jail /etc/fail2ban/jail.d/00-firewalld.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

Now you may wonder how we set up Fail2ban as if you update and lose your settings. Simple, we create copies ending in .local instead of .conf as fail2ban will always read .local files first before loading .conf if it cannot find one.

To do this, use the following commands.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

By default, jail.local is set up to use IPTABLES. To keep things simple, instead of using the 00-firewalld.conf/jail and creating your rules from scratch, open jail.local and go to line 208 and replace:

Open jail.local:

sudo nano /etc/fail2ban/jail.local

Find Old code (IPTABLES):

anaction = iptables-multiport
banaction_allports = iptables-allports

Replace with (FIREWALLD):

banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

Next, the tutorial will run over some settings that you can use or modify to your liking. Note that most settings are commented out; the tutorial will uncomment the lines in question or modify the existing ones in the example settings.

Remember, these are optional settings, and you can set whatever you like if you know more about fail2ban and have the confidence.

Ban Time Increment

The first setting you will come across is Ban time increments. You should enable this every time the attacker returns. It will increase the ban time, saving your system from constantly re-banning the same IP if your ban time lengths are minor; for example, 1 hour, you would want this to be longer if the attacker returns x5 times.

You also need to set a multiplier or factor for ban increase logic to work. You can pick any of these; however, in our guide, we prefer multipliers, as highlighted in our below example, since you can set custom ban time increases to your liking. Further explanation is in the set-up on the math behind it.

Example below:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Whitelist IPs in Fail2ban

Next in the list, we come across whitelisting options, uncomment the following and address any IP addresses you want to be whitelisted.

ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)

Make sure to space or comma between the IP addresses. You can whitelist IP ranges as well.

Example below:

How to Install Fail2ban with Firewalld on Rocky Linux 8

Default Ban Time Set-Up

Ban time defaults are to default 10 minutes with 10 minutes finder on 5 retries. An explanation of this is Fail2ban jail with filtering will ban your attacker for 10 minutes after it has retried the same attack in 10 minutes (find time) x 5 times (retries). You can set some default ban settings here.

However, when you get to jails, it’s advised to set different ban times as some banning should automatically be longer than others, including retries that should be less or more.

Example below:

How to Install Fail2ban with Firewalld on Rocky Linux 8

E-Mail set up with Fail2ban

You can set an e-mail address for Fail2ban to send reports. The default action = %(action_mw)s that bans the offending IP and sends an e-mail with a whois report for you to review. However, in your action.d folder, other e-mail options exist for reporting to not only yourself but sending out e-mails to blacklist providers and the attacker’s ISP to report.

Example below:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = admin@example.com

# Sender e-mail address used solely for some actions
sender = fail2ban@example.com
How to Install Fail2ban with Firewalld on Rocky Linux 8

Note, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:

Change from:

mta = sendmail

Change to:

mail = sendmail

Fail2ban Jails

Next, we come to jails. You can set pre-defined jails with filters and actions created by the community covering many popular server applications. You can make custom jails or find external ones on various gists and community websites; however, we will set up the default Fail2ban package jails.

Default set up for all the jails as per the picture below. Notice how nothing is enabled.

Example below:

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

So, we have an Apache 2 HTTP server, and like filter/ban bad bots, all you need to do is add enabled = true as the example below.

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Notice how the max retry equals 1, and the ban time is 48H. This is an individual max retry and bans length setting for this jail that will automatically increase with the ban multiplier we set up earlier in the guide. If any of the filters are missing this, you can add it as an example.

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s

Change above the following example below:

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

Next, you would like to have different actions than specified in your default set up in /etc/fail2ban/jail.local, additional actions you can find in action.d directory. Different actions from this directory can be easily set up by following directions inside those action configuration lines in the files, remembering to rename them first to .jail over .conf, and then adding the following to your jail setup.

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
cloudflare
bantime = 72h
maxretry = 1

As you can see, we added action_mw, so it automatically bans as per our default action and emails us a report with whois, then the following action, if you use Cloudflare, it’ll block the IP address on the service as well. Remember, Cloudflare needs to be set up before use. Read the action.d file cloudflare.conf.

Once you are happy with your set-up, do the following command to restart fail2ban to load your new jails.

sudo systemctl restart fail2ban

Examples of using Fail2ban-client

Now that you are up and running with Fail2ban, you need to know some basic operating commands. We do this by using the fail2ban-client command. You may need to have sudo privileges, depending on your setup.

Ban an IP address:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Command to bring up the help menu if you need to find additional settings or get help on a particular one.

sudo fail2ban-client -h

Checking Firewalld and Fail2ban

By default, firewalld should be configured to automatically be banning any IP that fail2ban actions a ban on. To see if this is indeed working correctly, use the following command:

A quick test is the located in your jail [SSHD] and placing enabled = true even if you are not using this jail as it is just a test then using the following ban command:

sudo fail2ban-client set sshd banip 192.155.1.7

Now list the firewall list rich rules as follows:

firewall-cmd --list-rich-rules

Example output:

rule family="ipv4" source address="192.155.1.7" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

As you can see, fail2ban and firewalld are working correctly for a live environment.

Monitoring Fail2ban Logs

Many common mistakes are set up jails and walk away without testing or monitoring what they are doing. Reviewing logs is essential, which the fail2ban log is in its default path /var/log/fail2ban.log.

If you have a server receiving decent traffic, an excellent command to watch live to see any issues and keep an eye on it as you work in other servers is to use the tail -f command below.

sudo tail -f /var/log/fail2ban.log

The command can come in handy for spot-checking without having to dive into logging.

Comments and Conclusion

The tutorial has shown you the basics of installing Fail2ban on the Rocky Linux 8 system and setting up some jails with the filters available. Fail2ban is a potent tool. You can set it up in many different ways from what I have shown here. It is just an example of getting your way around it, to begin. Fail2ban is actively developed and is a solid choice to deploy on your server in these times where attacks are becoming so frequent.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!