[How to] Fail2ban on CentOS 7
-
I figured since so many people are doing cloud at cost I'd make a tutorial for setting up fail2ban in CentOS 7, as it's not as simple as it used to be.
-
Add the EPEL Repo
yum Install -y epel-release -
Install Fail2Ban
yum install -y fail2ban -
Install Other need packages
yum install -y checkpolicy policycoreutils-python -
Firewalld should be installed by default if not then install it
yum install -y firewalld -
Create the file
vi /etc/fail2ban/jail.local -
Insert the text below and then exit and save using :wq
[sshd]
enabled = true -
Create the file
vi /etc/fail2ban/jail.d/sshd.local -
Press Insert on your keyboard and then past this text into your SSH session (usually just right click)
[sshd]
enabled = true
#action = firewallcmd-ipset
bantime = 96400 -
Type Escape on your keyboard and then enter :wq to write the file and quit vi
-
Selinux in CentOS blocks Fail2ban so we must fix it. Create File fail2ban-syslog.te
vi fail2ban-syslog.te -
Insert the following text, then save and exit the file
module fail2ban-syslog 1.0;
require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr; -
Make the module.
checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp -
Enable fail2ban to run at start and start fail2ban
systemctl enable fail2ban
systemctl start fail2ban
Let me know if you have issues with it.
You can use
fail2ban-client status sshdto check the status andtail -f /var/log/audit/audit.logto check the logsPosted on SW as well http://community.spiceworks.com/how_to/110897-install-fail2ban-on-centos-7
-
-
Awesome writeup.
-
nice, I'll be trying this with Freepbx soon. thanks.
-
@scottalanmiller said:
Awesome writeup.
This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.
-
@JaredBusch said:
@scottalanmiller said:
Awesome writeup.
This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.
Are you saying you need this at C@C because you don't have a hardware firewall?
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
Awesome writeup.
This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.
Are you saying you need this at C@C because you don't have a hardware firewall?
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
The default CentOS 7 firewall has been really good, so it would probably work well enough for an internal facing server.
-
@Dashrender said:
Are you saying you need this at C@C because you don't have a hardware firewall?
@coliver said:
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
This. Firewall or not, because it is open to the public, it needs protection.
On an internal system with no public access is simply not worth it on CentOS7.
-
@JaredBusch said:
@Dashrender said:
Are you saying you need this at C@C because you don't have a hardware firewall?
@coliver said:
I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.
This. Firewall or not, because it is open to the public, it needs protection.
On an internal system with no public access is simply not worth it on CentOS7.
You can also disable root from logging in via SSH Just
vi /etc/ssh/sshd_config
And Change thePremitRootLogin yestoPremitRootLogin noThis also disables the login via SCP of course
-
Well, I've just tried it and I received an error when checking the status using
fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry, but the Jail 'sshd' does not exist
This might just be due to my inexperience but I didn't receive any errors before that.
Any ideas? -
@nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5
-
Thanks @thecreativeone91
A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go. -
I wrote a script to do this.
#!/bin/bash # CentOS7 Fail2Ban Install and Configure Script yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld cat > /etc/fail2ban/jail.local << EOF [sshd] enabled = true EOF cat > fail2ban-syslog.te << EOF module fail2ban-syslog 1.0; require { type syslogd_var_run_t; type fail2ban_t; class dir read; class file read; class file open; class file getattr; } #============= fail2ban_t ============== allow fail2ban_t syslogd_var_run_t:dir read; allow fail2ban_t syslogd_var_run_t:file read; allow fail2ban_t syslogd_var_run_t:file open; allow fail2ban_t syslogd_var_run_t:file getattr; EOF checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod semodule -i fail2ban-syslog.pp systemctl start fail2ban systemctl enable fail2ban fail2ban-client status sshd echo Done!Anything I missed?
-
@Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?
-
Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?
-
@Danp said:
Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?
I don't think Fail2ban likes log rotate.
-
@thecreativeone91 said:
I don't think Fail2ban likes log rotate.
Looks that way. I found this, but it's for an older version of both F2B and Centos.
-
Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.
-
When I do
fail2ban-client status sshd
I get
[root@dc fail2ban]# fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not existWhen I check the audit logs I get logs....
-
@Sparkum What do you get when you enter the following?:
fail2ban-client status -
[root@dc fail2ban]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
