[How to] Fail2ban on CentOS 7
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
Awesome writeup.
This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.
Are you saying you need this at C@C because you don't have a hardware firewall?
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
The default CentOS 7 firewall has been really good, so it would probably work well enough for an internal facing server.
-
@Dashrender said:
Are you saying you need this at C@C because you don't have a hardware firewall?
@coliver said:
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
This. Firewall or not, because it is open to the public, it needs protection.
On an internal system with no public access is simply not worth it on CentOS7.
-
@JaredBusch said:
@Dashrender said:
Are you saying you need this at C@C because you don't have a hardware firewall?
@coliver said:
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
This. Firewall or not, because it is open to the public, it needs protection.
On an internal system with no public access is simply not worth it on CentOS7.
You can also disable root from logging in via SSH Just
vi /etc/ssh/sshd_config
And Change thePremitRootLogin yes
toPremitRootLogin no
This also disables the login via SCP of course
-
Well, I've just tried it and I received an error when checking the status using
fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry, but the Jail 'sshd' does not exist
This might just be due to my inexperience but I didn't receive any errors before that.
Any ideas? -
@nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5
-
Thanks @thecreativeone91
A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go. -
I wrote a script to do this.
#!/bin/bash # CentOS7 Fail2Ban Install and Configure Script yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld cat > /etc/fail2ban/jail.local << EOF [sshd] enabled = true EOF cat > fail2ban-syslog.te << EOF module fail2ban-syslog 1.0; require { type syslogd_var_run_t; type fail2ban_t; class dir read; class file read; class file open; class file getattr; } #============= fail2ban_t ============== allow fail2ban_t syslogd_var_run_t:dir read; allow fail2ban_t syslogd_var_run_t:file read; allow fail2ban_t syslogd_var_run_t:file open; allow fail2ban_t syslogd_var_run_t:file getattr; EOF checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod semodule -i fail2ban-syslog.pp systemctl start fail2ban systemctl enable fail2ban fail2ban-client status sshd echo Done!
Anything I missed?
-
@Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?
-
Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?
-
@Danp said:
Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?
I don't think Fail2ban likes log rotate.
-
@thecreativeone91 said:
I don't think Fail2ban likes log rotate.
Looks that way. I found this, but it's for an older version of both F2B and Centos.
-
Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.
-
When I do
fail2ban-client status sshd
I get
[root@dc fail2ban]# fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not existWhen I check the audit logs I get logs....
-
@Sparkum What do you get when you enter the following?:
fail2ban-client status
-
[root@dc fail2ban]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list: -
Did you follow the steps and create the jail.local file?
-
Yep
-
Noticed the problem happened below.
Changed "enabled" to "enable" and looks like it works.
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
|- File list: /var/log/secure
- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:Much appreciated thanks
-
@Sparkum That's strange, b/c I believe "enabled" is the correct entry.