Installing and configuring the fail2ban centos service
fail2ban is a service for linux systems that checks log files for failed login attempts and automatically inserts firewall rules to block further attempts at logins from those IP addresses for a specified amount of time. Installing fail2ban on centos is relatively easy
Firstly, make sure that you habve the epel repo iavailable, then install and enable fail2ban by issuing the following commands
yum install epel-release
yum install fail2ban
systemctl enable fail2ban
You now have fail2ban installed and enabled, but not yet configured. The config file for fail2ban is /etc/fail2ban/jail.conf, however, if modifications are made here, then they may be overwritten in future by system updates, so its recommended to create your own config file:
Protecting SSH with fail2ban
vim /etc/fail2ban/jail.local
paste the following into the file to enable a 1 hour ban on failed logins from ssh
[DEFAULT]
bantime = 3600
banaction = iptables-multiport
[sshd]
enabled = true
lastly, restart the fail2ban service
systemctl restart fail2ban
Protecting apache with fail2ban
edit the local config:
vim /etc/fail2ban/jail.local
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/httpd/error.log
maxretry = 6
Protecting wordpress with fail2ban
install wp-fail2ban plugin & copy the provided filter
cp /var/www/html/wp-content/plugins/wp-fail2ban/filters.d/wordpress-hard.conf /etc/fail2ban/filter.d/
edit the local config:
vim /etc/fail2ban/jail.local
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 3
port = http,https
lastly, restart the fail2ban service
service fail2ban restart
Fail2ban modsecurity rules
create /etc/fail2ban/filter.d/modsec.conf
#Fail2Ban configuration file
#Author: Florian Roth
[Definition]
failregex = [.?]\s[\w-]\s\s
ignoreregex =
edit the local config:
vim /etc/fail2ban/jail.local
[modsec]
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
logpath = /var/log/httpd/modsec_audit.log
bantime = 600
maxretry = 3