How to Install and Configure Fail2ban on Alma Linux 8

Fail2ban is a free and open-source Intrusion Prevention System written in Python. It is used to protect your system against brute-force attacks. It continuously monitors the SSH (and other) log files for authentication attempts, after a specified number of incorrect password attempts, the client's IP address is banned by Fail2Ban. It can be used to secure several services including, SSH, vsftpd, Apache, and Webmin.

In this tutorial, I will show you how to install Fail2Ban firewall on Alma Linux 8.

Prerequisites

  • A server running Alma Linux 8.
  • A root password is configured on the server.

Verify Firewalld Installation

By default, Firewalld package comes pre-installed on Alma Linux 8. First, you will need to check whether it is running or not. You can check it with the following command:

systemctl status firewalld

If firewalld is not running, you will get the following output:

? firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Now, start the firewalld service with the following command:

systemctl start firewalld

You can check the status of the firewalld using the following command:

systemctl status firewalld

You should see the following output:

? firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2022-02-19 08:57:14 UTC; 40s ago
     Docs: man:firewalld(1)
 Main PID: 7214 (firewalld)
    Tasks: 2 (limit: 23696)
   Memory: 27.9M
   CGroup: /system.slice/firewalld.service
           ??7214 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Feb 19 08:57:14 linux systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 19 08:57:14 linux systemd[1]: Started firewalld - dynamic firewall daemon.

Now, list all services configured by firewalld using the following command:

firewall-cmd --list-all

You should see the following output:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Install Fail2Ban

By default, Fail2Ban package is not available in the Alma Linux default repo. So you will need to install it from the EPEL repo. You can install the EPEL repo with the following command:

dnf install epel-release -y

Once the EPEL repo is installed, you can install the Fail2Ban firewall with the following command:

dnf install fail2ban fail2ban-firewalld -y

Once the installation is complete, start and enable the Fail2Ban service with the following command:

systemctl start fail2ban
systemctl enable fail2ban

You can verify the status of the fail2ban service by running the command:

systemctl status fail2ban

You should see the following output:

? fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-02-19 08:58:34 UTC; 6s ago
     Docs: man:fail2ban(1)
  Process: 7838 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 7840 (fail2ban-server)
    Tasks: 3 (limit: 23696)
   Memory: 10.8M
   CGroup: /system.slice/fail2ban.service
           ??7840 /usr/bin/python3.6 -s /usr/bin/fail2ban-server -xf start

Feb 19 08:58:34 linux systemd[1]: Starting Fail2Ban Service...
Feb 19 08:58:34 linux systemd[1]: Started Fail2Ban Service.
Feb 19 08:58:35 linux fail2ban-server[7840]: Server ready

Configure Fail2Ban

Fail2Ban main configuration file is located at /etc/fail2ban/jail.conf. It is a good idea to create a copy of the main configuration file. You can create it with the following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

By default, Fail2Ban uses Iptables firewall. To enable the firewalld support, run the following command:

mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

Next, restart the Fail2Ban service to apply the changes:

systemctl restart fail2ban

Secure SSH with Fail2Ban

By default, Fail2Ban is not configured to block remote IPs. You will need to configure the Fail2Ban jail configuration file for each service that you want to protect.

To protect the SSH service, create a jail configuration file for SSH with the following command:

nano /etc/fail2ban/jail.d/sshd.local

Add the following lines:

# This configuration will block the remote host for 2 hours after 3 failed SSH login attempts. 
[sshd]
enabled = true
bantime = 2h
maxretry = 3

Save and close the file when you are finished then restart the SSH service to apply the changes:

systemctl restart fail2ban

You can now verify the jail configuration with the following command:

fail2ban-client status

You will get the configured jail in the following output:

Status
|- Number of jail:	1
`- Jail list:	sshd

To check the SSH jail for any banned IP, run the following command:

fail2ban-client status sshd

You will get all banned IP list in the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:	6
|  |- Total failed:	15
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	2
   |- Total banned:	2
   `- Banned IP list:	96.9.67.48 43.154.142.8

If you want to unban the IP address manually, run the following command:

fail2ban-client unban remote-ip-address

Conclusion

In the above guide, we explained how to install Fail2Ban on Alma Linux 8. We also explained how to use Fail2Ban to secure the SSH service. You can now implement Fail2Ban in the production environment to protect your system from brute-force attacks.

Share this page:

Suggested articles

0 Comment(s)

Add comment