Fail2ban centos

Installing and configuring the fail2ban centos service

fail2ban is a service for linux systems that checks log files for failed login attempts and automatically inserts firewall rules to block further attempts at logins from those IP addresses for a specified amount of time. Installing fail2ban on centos is relatively easy

Firstly, make sure that you habve the epel repo iavailable, then install and enable fail2ban by issuing the following commands

yum install epel-release
yum install fail2ban
systemctl enable fail2ban

You now have fail2ban installed and enabled, but not yet configured. The config file for fail2ban is /etc/fail2ban/jail.conf, however, if modifications are made here, then they may be overwritten in future by system updates, so its recommended to create your own config file:

Protecting SSH with fail2ban

vim /etc/fail2ban/jail.local

paste the following into the file to enable a 1 hour ban on failed logins from ssh

[DEFAULT]
bantime = 3600
banaction = iptables-multiport

[sshd]
enabled = true

lastly, restart the fail2ban service

systemctl restart fail2ban

Protecting apache with fail2ban

edit the local config:

vim /etc/fail2ban/jail.local
[apache] 
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/httpd/error.log
maxretry = 6

Protecting wordpress with fail2ban

install wp-fail2ban plugin & copy the provided filter

cp /var/www/html/wp-content/plugins/wp-fail2ban/filters.d/wordpress-hard.conf /etc/fail2ban/filter.d/

edit the local config:

vim /etc/fail2ban/jail.local
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 3
port = http,https

lastly, restart the fail2ban service

service fail2ban restart

Fail2ban modsecurity rules

create /etc/fail2ban/filter.d/modsec.conf

#Fail2Ban configuration file
#Author: Florian Roth
[Definition]
failregex = [.?]\s[\w-]\s\s
ignoreregex =

edit the local config:

vim /etc/fail2ban/jail.local
[modsec] 
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
logpath = /var/log/httpd/modsec_audit.log
bantime = 600
maxretry = 3

Leave a Reply