[How to] Fail2ban on CentOS 7

JaredBusch

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Dashrender

@JaredBusch said:

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Are you saying you need this at C@C because you don't have a hardware firewall?

coliver

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Are you saying you need this at C@C because you don't have a hardware firewall?

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

The default CentOS 7 firewall has been really good, so it would probably work well enough for an internal facing server.

JaredBusch

@Dashrender said:

Are you saying you need this at C@C because you don't have a hardware firewall?

@coliver said:

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

This. Firewall or not, because it is open to the public, it needs protection.

On an internal system with no public access is simply not worth it on CentOS7.

A Former User

@JaredBusch said:

@Dashrender said:

Are you saying you need this at C@C because you don't have a hardware firewall?

@coliver said:

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

This. Firewall or not, because it is open to the public, it needs protection.

On an internal system with no public access is simply not worth it on CentOS7.

You can also disable root from logging in via SSH Just
vi /etc/ssh/sshd_config
And Change the PremitRootLogin yes to PremitRootLogin no

This also disables the login via SCP of course

nadnerB

Well, I've just tried it and I received an error when checking the status using fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry, but the Jail 'sshd' does not exist
 
This might just be due to my inexperience but I didn't receive any errors before that.
Any ideas?

A Former User

@nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5

nadnerB

Thanks @thecreativeone91
A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go.

A Former User

I wrote a script to do this.

#!/bin/bash

# CentOS7 Fail2Ban Install and Configure Script

yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld

cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
EOF

cat > fail2ban-syslog.te << EOF
module fail2ban-syslog 1.0;

require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;
EOF

checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp

systemctl start fail2ban

systemctl enable fail2ban

fail2ban-client status sshd

echo Done!

Anything I missed?

Danp

@Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?

Danp

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

A Former User

@Danp said:

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

I don't think Fail2ban likes log rotate.

Danp

@thecreativeone91 said:

I don't think Fail2ban likes log rotate.

Looks that way. I found this, but it's for an older version of both F2B and Centos.

Danp

Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.

Sparkum

When I do

fail2ban-client status sshd

I get

[root@dc fail2ban]# fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist

When I check the audit logs I get logs....

Danp

@Sparkum What do you get when you enter the following?:

fail2ban-client status

Sparkum

@Danp

[root@dc fail2ban]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

Danp

Did you follow the steps and create the jail.local file?

Sparkum

@Danp

Yep

Sparkum

Noticed the problem happened below.

Changed "enabled" to "enable" and looks like it works.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/secure - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

Much appreciated thanks