Tuesday, September 17, 2013

Installing Fail2ban on Centos 6

Fail2ban restricts  IP addresses of hosts that are trying to breach your system's security. Whenever an abusive IP is detected it can  restrict that IP access to your system for a specific period of time. This time is configurable by the administrator of the system.


  1. Download the latest version of fail2ban


    2. [root@glt ~]# wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.8.10

  2. Extract the files from the tar and run the "setup.py" script. 


    3. [root@glt ~]# tar -xf 0.8.10
[root@glt ~]# cd fail2ban-0.8.10
[root@glt fail2ban-0.8.10]# python setup.py install

  3. Configure fail2ban


    4. [root@glt fail2ban-0.8.10]# vi /etc/fail2ban/jail.conf

    • White-list your IP address by adding it to the ignoreip line.
      • [DEFAULT]
      # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
      # ban a host which matches an address in this list. Several addresses can be
      # defined using space separator.
      ignoreip = 127.0.0.1
    • Configuring ssh-iptables section for Fail2Ban, remove false and type true. Also configure the email address that you would like  to receive the alerts.
      • [ssh-iptables]

      enabled = true
      filter = sshd
      action = iptables[name=SSH, port=ssh, protocol=tcp]
      sendmail-whois[name=SSH, dest=you@example.com,  sender=fail2ban@localhost]
      logpath = /var/log/sshd.log
      maxretry = 5

  4. To ensure that fail2ban starts at startup.


    5. [root@glt fail2ban-0.8.10]# cp ./files/redhat-initd /etc/init.d/fail2ban
[root@glt fail2ban-0.8.10]# chkconfig --add fail2ban
[root@glt fail2ban-0.8.10]# chkconfig fail2ban on

  5. Start fail2ban.


    [root@glt fail2ban-0.8.10]# service fail2ban start
Starting fail2ban:                                         [  OK  ]

  6. Following list IP that was blocked by fail2ban


    [root@glt ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
REJECT     all  --  61.147.116.109       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
[root@glt ~]#

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)