[How to] Fail2ban on CentOS 7

A Former User

I figured since so many people are doing cloud at cost I'd make a tutorial for setting up fail2ban in CentOS 7, as it's not as simple as it used to be.

Add the EPEL Repo
yum Install -y epel-release
Install Fail2Ban
yum install -y fail2ban
Install Other need packages
yum install -y checkpolicy policycoreutils-python
Firewalld should be installed by default if not then install it
yum install -y firewalld
Create the file
vi /etc/fail2ban/jail.local
Insert the text below and then exit and save using :wq

[sshd]
enabled = true
Create the file
vi /etc/fail2ban/jail.d/sshd.local
Press Insert on your keyboard and then past this text into your SSH session (usually just right click)

[sshd]
enabled = true
#action = firewallcmd-ipset
bantime = 96400
Type Escape on your keyboard and then enter :wq to write the file and quit vi
Selinux in CentOS blocks Fail2ban so we must fix it. Create File fail2ban-syslog.te
vi fail2ban-syslog.te
Insert the following text, then save and exit the file

module fail2ban-syslog 1.0;

require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;
Make the module.
checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp
Enable fail2ban to run at start and start fail2ban
systemctl enable fail2ban
systemctl start fail2ban

Let me know if you have issues with it.

You can use fail2ban-client status sshd to check the status and tail -f /var/log/audit/audit.log to check the logs

Posted on SW as well http://community.spiceworks.com/how_to/110897-install-fail2ban-on-centos-7

scottalanmiller

Awesome writeup.

Dashrender

nice, I'll be trying this with Freepbx soon. thanks.

JaredBusch

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Dashrender

@JaredBusch said:

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Are you saying you need this at C@C because you don't have a hardware firewall?

coliver

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

Awesome writeup.

This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

Are you saying you need this at C@C because you don't have a hardware firewall?

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

The default CentOS 7 firewall has been really good, so it would probably work well enough for an internal facing server.

JaredBusch

@Dashrender said:

Are you saying you need this at C@C because you don't have a hardware firewall?

@coliver said:

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

This. Firewall or not, because it is open to the public, it needs protection.

On an internal system with no public access is simply not worth it on CentOS7.

A Former User

@JaredBusch said:

@Dashrender said:

Are you saying you need this at C@C because you don't have a hardware firewall?

@coliver said:

I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

This. Firewall or not, because it is open to the public, it needs protection.

On an internal system with no public access is simply not worth it on CentOS7.

You can also disable root from logging in via SSH Just
vi /etc/ssh/sshd_config
And Change the PremitRootLogin yes to PremitRootLogin no

This also disables the login via SCP of course

nadnerB

Well, I've just tried it and I received an error when checking the status using fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry, but the Jail 'sshd' does not exist

This might just be due to my inexperience but I didn't receive any errors before that.
Any ideas?

A Former User

@nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5

nadnerB

Thanks @thecreativeone91
A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go.

A Former User

I wrote a script to do this.

#!/bin/bash

# CentOS7 Fail2Ban Install and Configure Script

yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld

cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
EOF

cat > fail2ban-syslog.te << EOF
module fail2ban-syslog 1.0;

require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;
EOF

checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp

systemctl start fail2ban

systemctl enable fail2ban

fail2ban-client status sshd

echo Done!

Anything I missed?

Danp

@Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?

Danp

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

A Former User

@Danp said:

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

I don't think Fail2ban likes log rotate.

Danp

@thecreativeone91 said:

I don't think Fail2ban likes log rotate.

Looks that way. I found this, but it's for an older version of both F2B and Centos.

Danp

Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.

Sparkum

When I do

fail2ban-client status sshd

I get

[root@dc fail2ban]# fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist

When I check the audit logs I get logs....

Danp

@Sparkum What do you get when you enter the following?:

fail2ban-client status

Sparkum

@Danp

[root@dc fail2ban]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list: