ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    [How to] Fail2ban on CentOS 7

    IT Discussion
    9
    24
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by A Former User

      I figured since so many people are doing cloud at cost I'd make a tutorial for setting up fail2ban in CentOS 7, as it's not as simple as it used to be.

      1. Add the EPEL Repo
        yum Install -y epel-release

      2. Install Fail2Ban
        yum install -y fail2ban

      3. Install Other need packages
        yum install -y checkpolicy policycoreutils-python

      4. Firewalld should be installed by default if not then install it
        yum install -y firewalld

      5. Create the file
        vi /etc/fail2ban/jail.local

      6. Insert the text below and then exit and save using :wq

        [sshd]
        enabled = true

      7. Create the file
        vi /etc/fail2ban/jail.d/sshd.local

      8. Press Insert on your keyboard and then past this text into your SSH session (usually just right click)

        [sshd]
        enabled = true
        #action = firewallcmd-ipset
        bantime = 96400

      9. Type Escape on your keyboard and then enter :wq to write the file and quit vi

      10. Selinux in CentOS blocks Fail2ban so we must fix it. Create File fail2ban-syslog.te
        vi fail2ban-syslog.te

      11. Insert the following text, then save and exit the file

        module fail2ban-syslog 1.0;

        require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
        class file read;
        class file open;
        class file getattr;
        }

        #============= fail2ban_t ==============
        allow fail2ban_t syslogd_var_run_t:dir read;
        allow fail2ban_t syslogd_var_run_t:file read;
        allow fail2ban_t syslogd_var_run_t:file open;
        allow fail2ban_t syslogd_var_run_t:file getattr;

      12. Make the module.
        checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
        semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
        semodule -i fail2ban-syslog.pp

      13. Enable fail2ban to run at start and start fail2ban
        systemctl enable fail2ban
        systemctl start fail2ban

      Let me know if you have issues with it.

      You can use fail2ban-client status sshd to check the status and tail -f /var/log/audit/audit.log to check the logs

      Posted on SW as well http://community.spiceworks.com/how_to/110897-install-fail2ban-on-centos-7

      1 Reply Last reply Reply Quote 6
      • S
        scottalanmiller
        last edited by

        Awesome writeup.

        J 1 Reply Last reply Reply Quote 0
        • D
          Dashrender
          last edited by

          nice, I'll be trying this with Freepbx soon. thanks.

          1 Reply Last reply Reply Quote 0
          • J
            JaredBusch @scottalanmiller
            last edited by

            @scottalanmiller said:

            Awesome writeup.

            This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

            D 1 Reply Last reply Reply Quote 0
            • D
              Dashrender @JaredBusch
              last edited by

              @JaredBusch said:

              @scottalanmiller said:

              Awesome writeup.

              This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

              Are you saying you need this at C@C because you don't have a hardware firewall?

              C 1 Reply Last reply Reply Quote 0
              • C
                coliver @Dashrender
                last edited by

                @Dashrender said:

                @JaredBusch said:

                @scottalanmiller said:

                Awesome writeup.

                This is why I am against your opinion of adding this to all systems, it is NOT a simple yum-y install process and the setup is not required for many systems with the solid firewall already in place on CentOS 7. I do completely agree for a hosted solution such as C@C it is required.

                Are you saying you need this at C@C because you don't have a hardware firewall?

                I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

                The default CentOS 7 firewall has been really good, so it would probably work well enough for an internal facing server.

                J 1 Reply Last reply Reply Quote 1
                • J
                  JaredBusch @coliver
                  last edited by

                  @Dashrender said:

                  Are you saying you need this at C@C because you don't have a hardware firewall?

                  @coliver said:

                  I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

                  This. Firewall or not, because it is open to the public, it needs protection.

                  On an internal system with no public access is simply not worth it on CentOS7.

                  ? 1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User @JaredBusch
                    last edited by A Former User

                    @JaredBusch said:

                    @Dashrender said:

                    Are you saying you need this at C@C because you don't have a hardware firewall?

                    @coliver said:

                    I think he is implying that since it is by default a public-facing computer, you should have as many layers of security on it as you can get.

                    This. Firewall or not, because it is open to the public, it needs protection.

                    On an internal system with no public access is simply not worth it on CentOS7.

                    You can also disable root from logging in via SSH Just
                    vi /etc/ssh/sshd_config
                    And Change the PremitRootLogin yes to PremitRootLogin no

                    This also disables the login via SCP of course

                    1 Reply Last reply Reply Quote 1
                    • nadnerBN
                      nadnerB
                      last edited by

                      Well, I've just tried it and I received an error when checking the status using fail2ban-client status sshd
                      ERROR NOK: ('sshd',)
                      Sorry, but the Jail 'sshd' does not exist

                       
                      This might just be due to my inexperience but I didn't receive any errors before that.
                      Any ideas?

                      ? 1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User @nadnerB
                        last edited by

                        @nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5

                        nadnerBN 1 Reply Last reply Reply Quote 1
                        • nadnerBN
                          nadnerB @A Former User
                          last edited by nadnerB

                          Thanks @thecreativeone91
                          A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go.

                          ? 1 Reply Last reply Reply Quote 1
                          • ?
                            A Former User @nadnerB
                            last edited by

                            I wrote a script to do this.

                            #!/bin/bash
                            
                            # CentOS7 Fail2Ban Install and Configure Script
                            
                            yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld
                            
                            cat > /etc/fail2ban/jail.local << EOF
                            [sshd]
                            enabled = true
                            EOF
                            
                            cat > fail2ban-syslog.te << EOF
                            module fail2ban-syslog 1.0;
                            
                            require {
                            type syslogd_var_run_t;
                            type fail2ban_t;
                            class dir read;
                            class file read;
                            class file open;
                            class file getattr;
                            }
                            
                            #============= fail2ban_t ==============
                            allow fail2ban_t syslogd_var_run_t:dir read;
                            allow fail2ban_t syslogd_var_run_t:file read;
                            allow fail2ban_t syslogd_var_run_t:file open;
                            allow fail2ban_t syslogd_var_run_t:file getattr;
                            EOF
                            
                            checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
                            semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
                            semodule -i fail2ban-syslog.pp
                            
                            systemctl start fail2ban
                            
                            systemctl enable fail2ban
                            
                            fail2ban-client status sshd
                            
                            echo Done!
                            

                            Anything I missed?

                            DanpD 1 Reply Last reply Reply Quote 0
                            • DanpD
                              Danp @A Former User
                              last edited by

                              @Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?

                              1 Reply Last reply Reply Quote 0
                              • DanpD
                                Danp
                                last edited by

                                Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

                                ? 1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User @Danp
                                  last edited by

                                  @Danp said:

                                  Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

                                  I don't think Fail2ban likes log rotate.

                                  DanpD 1 Reply Last reply Reply Quote 0
                                  • DanpD
                                    Danp @A Former User
                                    last edited by

                                    @thecreativeone91 said:

                                    I don't think Fail2ban likes log rotate.

                                    Looks that way. I found this, but it's for an older version of both F2B and Centos.

                                    1 Reply Last reply Reply Quote 0
                                    • DanpD
                                      Danp
                                      last edited by

                                      Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.

                                      1 Reply Last reply Reply Quote 1
                                      • S
                                        Sparkum
                                        last edited by

                                        When I do

                                        fail2ban-client status sshd

                                        I get

                                        [root@dc fail2ban]# fail2ban-client status sshd
                                        ERROR NOK: ('sshd',)
                                        Sorry but the jail 'sshd' does not exist

                                        When I check the audit logs I get logs....

                                        DanpD 1 Reply Last reply Reply Quote 0
                                        • DanpD
                                          Danp @Sparkum
                                          last edited by

                                          @Sparkum What do you get when you enter the following?:

                                          fail2ban-client status
                                          
                                          S 1 Reply Last reply Reply Quote 0
                                          • S
                                            Sparkum @Danp
                                            last edited by Sparkum

                                            @Danp

                                            [root@dc fail2ban]# fail2ban-client status
                                            Status
                                            |- Number of jail: 0
                                            `- Jail list:

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post