Author Photo

Ahmer's SysAdmin Recipes is a blog for Linux System Administrators. This blog provides recipes for Installation & Configuration of Linux, Ubuntu, Oracle Database, MySQL, Apache, Nginx, Oracle Cloud Control, FreeIPA, Kerberos & OpenLDAP, Subversion, PXE, DevOps, etc. over Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu and Windows.

Please give me your feedback and help me improve this blog. Please let me know If you want me to write on a specific topic.

Sunday, 2 June 2019

Install fail2ban to Secure CentOS 7 servers

install-fail2ban-jails-to-protect-centos-7-serversBrute-force, Dictionary, DOS and DDOS attacks are quite frequent against the common network services like ssh, apache, nginx, mariadb, etc. None of these services provides native defence against these attacks. fail2ban is an intrusion prevention software that protects Linux based servers from Brute-force, DOS, DDOS and Dictionary attacks.

fail2ban is implemented as a service, that continuously monitors log files of services, for failures and then banned the hosts, that caused multiple authentication failures for a specified bantime.

fail2ban uses CentOS 7 firewall rules to ban host machines.

Due to its simplicity and effectiveness, fail2ban is considered as the preferred software to secure Linux services against DOS, DDOS, dictionary and brute-force attacks.

In this article, we will install fail2ban on CentOS 7 and then configure fail2ban to secure ssh, apache, nginx and mariadb servers against brute-force, dictionary, DDOS and DOS attacks.

 

fail2ban Features:

Some common features of fail2ban are:

  • Client/Server Architecture
  • Multi-threaded
  • Highly configurable using split configuration files
  • Parses log files and look for given patterns
  • Uses Netfilter/Iptables by default but can also use TCP Wrapper (/etc/hosts.deny) and many other firewalls/actions
  • Can handle multiple services at once (sshd, apache, vsftpd, etc)
  • Character set awareness in log files
  • Python3+ support
  • Supports famous Linux distributions including Red Hat Enterprise Linux, CentOS, Ubuntu, SUSE, Debian, etc.

Environment Specification:

We have configured a CentOS 7 virtual machine with following specifications:

Hostname: fail2ban-01.example.com
IP Address: 192.168.116.171 /24
Operating System: CentOS 7.6

 

Installing fail2ban on CentOS 7

Connect with fail2ban-01.example.com using ssh as root user.

fail2ban is available via EPEL (Extra Packages for Enterprise Linux) yum repository. Therefore, we must install epel-release to enable access to EPEL yum repository.

[root@fail2ban-01 ~]# yum install -y epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.ges.net.pk * extras: mirrors.ges.net.pk * updates: centosc6.centos.org Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: epel-release noarch 7-11 extras 15 k Transaction Summary ================================================================================ Install 1 Package Total download size: 15 k Installed size: 24 k Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete!

Build cache for yum repositories.

[root@fail2ban-01 ~]# yum makecache fast Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 6.3 kB 00:00 * base: mirrors.ges.net.pk * epel: my.fedora.ipserverone.com * extras: mirrors.ges.net.pk * updates: centosc6.centos.org base | 3.6 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 epel/x86_64/primary_db | 6.7 MB 01:39 Metadata Cache Created

We are required to install following fail2ban packages.

fail2ban.noarch: Daemon to ban hosts that cause multiple authentication errors
fail2ban-firewalld.noarch: Firewalld support for fail2ban
fail2ban-systemd.noarch: Systemd journal configuration for fail2ban

EPEL yum repository always provides a stable release of fail2ban. However, you can download a latest experimental release from fail2ban official website.

[root@fail2ban-01 ~]# yum install -y fail2ban fail2ban-firewalld fail2ban-systemd Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.ges.net.pk * epel: sg.fedora.ipserverone.com * extras: mirrors.ges.net.pk * updates: centosc6.centos.org Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.9.7-1.el7 will be installed --> Processing Dependency: fail2ban-sendmail = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch --> Processing Dependency: fail2ban-server = 0.9.7-1.el7 for package: fail2ban-0.9.7-1.el7.noarch ---> Package fail2ban-firewalld.noarch 0:0.9.7-1.el7 will be installed ---> Package fail2ban-systemd.noarch 0:0.9.7-1.el7 will be installed --> Running transaction check ---> Package fail2ban-sendmail.noarch 0:0.9.7-1.el7 will be installed ---> Package fail2ban-server.noarch 0:0.9.7-1.el7 will be installed --> Processing Dependency: systemd-python for package: fail2ban-server-0.9.7-1.el7.noarch --> Running transaction check ---> Package systemd-python.x86_64 0:219-62.el7_6.6 will be installed --> Processing Dependency: systemd-libs = 219-62.el7_6.6 for package: systemd-python-219-62.el7_6.6.x86_64 --> Processing Dependency: systemd = 219-62.el7_6.6 for package: systemd-python-219-62.el7_6.6.x86_64 --> Running transaction check ---> Package systemd.x86_64 0:219-62.el7 will be updated --> Processing Dependency: systemd = 219-62.el7 for package: systemd-sysv-219-62.el7.x86_64 ---> Package systemd.x86_64 0:219-62.el7_6.6 will be an update ---> Package systemd-libs.x86_64 0:219-62.el7 will be updated ---> Package systemd-libs.x86_64 0:219-62.el7_6.6 will be an update --> Running transaction check ---> Package systemd-sysv.x86_64 0:219-62.el7 will be updated ---> Package systemd-sysv.x86_64 0:219-62.el7_6.6 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: fail2ban noarch 0.9.7-1.el7 epel 11 k fail2ban-firewalld noarch 0.9.7-1.el7 epel 11 k fail2ban-systemd noarch 0.9.7-1.el7 epel 11 k Installing for dependencies: fail2ban-sendmail noarch 0.9.7-1.el7 epel 14 k fail2ban-server noarch 0.9.7-1.el7 epel 288 k systemd-python x86_64 219-62.el7_6.6 updates 133 k Updating for dependencies: systemd x86_64 219-62.el7_6.6 updates 5.1 M systemd-libs x86_64 219-62.el7_6.6 updates 407 k systemd-sysv x86_64 219-62.el7_6.6 updates 84 k Transaction Summary ================================================================================ Install 3 Packages (+3 Dependent packages) Upgrade ( 3 Dependent packages) Total download size: 6.2 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-firewalld-0.9.7-1.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for fail2ban-firewalld-0.9.7-1.el7.noarch.rpm is not installed (1/9): fail2ban-firewalld-0.9.7-1.el7.noarch.rpm | 11 kB 00:00 (2/9): fail2ban-0.9.7-1.el7.noarch.rpm | 11 kB 00:00 (3/9): fail2ban-systemd-0.9.7-1.el7.noarch.rpm | 11 kB 00:00 (4/9): fail2ban-sendmail-0.9.7-1.el7.noarch.rpm | 14 kB 00:02 (5/9): systemd-sysv-219-62.el7_6.6.x86_64.rpm | 84 kB 00:02 (6/9): systemd-python-219-62.el7_6.6.x86_64.rpm | 133 kB 00:08 (7/9): fail2ban-server-0.9.7-1.el7.noarch.rpm | 288 kB 00:11 (8/9): systemd-libs-219-62.el7_6.6.x86_64.rpm | 407 kB 00:29 (9/9): systemd-219-62.el7_6.6.x86_64.rpm | 5.1 MB 01:56 -------------------------------------------------------------------------------- Total 54 kB/s | 6.2 MB 01:57 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-11.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : systemd-libs-219-62.el7_6.6.x86_64 1/12 Updating : systemd-219-62.el7_6.6.x86_64 2/12 Installing : systemd-python-219-62.el7_6.6.x86_64 3/12 Installing : fail2ban-server-0.9.7-1.el7.noarch 4/12 Installing : fail2ban-sendmail-0.9.7-1.el7.noarch 5/12 Installing : fail2ban-firewalld-0.9.7-1.el7.noarch 6/12 Installing : fail2ban-0.9.7-1.el7.noarch 7/12 Installing : fail2ban-systemd-0.9.7-1.el7.noarch 8/12 Updating : systemd-sysv-219-62.el7_6.6.x86_64 9/12 Cleanup : systemd-sysv-219-62.el7.x86_64 10/12 Cleanup : systemd-219-62.el7.x86_64 11/12 Cleanup : systemd-libs-219-62.el7.x86_64 12/12 Verifying : fail2ban-sendmail-0.9.7-1.el7.noarch 1/12 Verifying : fail2ban-0.9.7-1.el7.noarch 2/12 Verifying : systemd-sysv-219-62.el7_6.6.x86_64 3/12 Verifying : fail2ban-server-0.9.7-1.el7.noarch 4/12 Verifying : fail2ban-systemd-0.9.7-1.el7.noarch 5/12 Verifying : systemd-libs-219-62.el7_6.6.x86_64 6/12 Verifying : fail2ban-firewalld-0.9.7-1.el7.noarch 7/12 Verifying : systemd-219-62.el7_6.6.x86_64 8/12 Verifying : systemd-python-219-62.el7_6.6.x86_64 9/12 Verifying : systemd-libs-219-62.el7.x86_64 10/12 Verifying : systemd-sysv-219-62.el7.x86_64 11/12 Verifying : systemd-219-62.el7.x86_64 12/12 Installed: fail2ban.noarch 0:0.9.7-1.el7 fail2ban-firewalld.noarch 0:0.9.7-1.el7 fail2ban-systemd.noarch 0:0.9.7-1.el7 Dependency Installed: fail2ban-sendmail.noarch 0:0.9.7-1.el7 fail2ban-server.noarch 0:0.9.7-1.el7 systemd-python.x86_64 0:219-62.el7_6.6 Dependency Updated: systemd.x86_64 0:219-62.el7_6.6 systemd-libs.x86_64 0:219-62.el7_6.6 systemd-sysv.x86_64 0:219-62.el7_6.6 Complete!

Since, we are installing fail2ban on a CentOS 7 system, therefore, fail2ban-firewalld and fail2ban-systemd packages are also required for integration with Firewalld and Systemd respectively.

Enable and start fail2ban.service.

[root@fail2ban-01 ~]# systemctl enable fail2ban.service Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service. [root@fail2ban-01 ~]# systemctl start fail2ban.service

 

Understanding fail2ban Configuration Files:

fail2ban configurations are exist in /etc/fail2ban/ and /etc/fail2ban/jail.d/.

fail2ban reads *.conf files first and then reads *.local files. Therefore, all settings in *.conf files are override by the settings in *.local files.

Thus, it is a best practice to create a custom jail.local file instead of editing the default jail.conf file.

fail2ban provides only a single configuration file /etc/fail2ban/jail.conf with initial configurations. This file contains sample jail configurations of common network services. Therefore, we can simply copy the required section in a jail.local file and enable the jail to apply it.

Copy the default jail.conf file as jail.local.

[root@fail2ban-01 ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, we can customize this file to create fail2ban jails for different Linux services. Infact, most fail2ban jails that are related to common Linux services are predefined in this file. Therefore, we are only required to enable the required fail2ban jail.

But, before enabling a fail2ban jail, we are describing some settings in the DEFAULT section. These settings are globally applicable on all fail2ban jails unless override.

ignoreip - It is an IP address, hostname or CIDR mask. fail2ban does not ban a host, if it was listed here.
bantime - It is the time (in seconds) to ban a host.
findtime - It is the time span during which fail2ban must caught maxretry failures to ban a host.
maxretry - It is the number of failures before a host gets banned.

 

Configure fail2ban to Secure SSH Service:

There are many predefined fail2ban jails for sshd service in jail.local. Therefore, we are enabling only one of them as follows.

[root@fail2ban-01 ~]# sed -i "/^\[sshd\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service

We also restarted fail2ban.service to reload configurations.

Now, try to connect with fail2ban-01.example.com using a ssh client with wrong password. Make 5 failed attempts and the host will be banned by fail2ban.

[root@fail2ban-tester ~]# ssh root@192.168.116.171 The authenticity of host '192.168.116.171 (192.168.116.171)' can't be established. ECDSA key fingerprint is SHA256:kzyCimDDwGPsfsuGXxdrcBqlxVQlU8FZTsYrwbPzZHM. ECDSA key fingerprint is MD5:b4:3f:a2:86:30:7a:b7:d7:b3:b0:10:8f:a3:3e:8a:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.116.171' (ECDSA) to the list of known hosts. root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@fail2ban-tester ~]# ssh root@192.168.116.171 root@192.168.116.171's password: Permission denied, please try again. root@192.168.116.171's password:

Check sshd jail status by using fail2ban-client command.

[root@fail2ban-01 ~]# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 6 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.152

The host 192.168.116.152 has been banned by fail2ban due to multiple authentication failures for predefined bantime.

There are more predefined fail2ban jails related to sshd service in jail.local file. One of them is sshd-ddos, which can be used to secure ssh service against DDOS (Distributed Denial of Service) attacks. You should experiment with different jails on your own.

 

Configure fail2ban to Secure Apache Web Server:

There are various predefined fail2ban jails are available for Apache service. We can enable each of them on demand.

This time we are only enabling one jail apache-auth for demonstration of fail2ban.

[root@fail2ban-01 ~]# sed -i "/^\[apache-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service

We have also configured an Apache website with HTTP basic authentication on this machine. We will use this website to test fail2ban.

Browse URL http://fail2ban-01.example.com using a client's browser.

The website will ask you for login credentials.

Perform login attempts with wrong credentials 6 times and the host will be banned by fail2ban automatically for the predefined bantime.

You can check status of apache-auth jail as follows.

[root@fail2ban-01 ~]# fail2ban-client status apache-auth Status for the jail: apache-auth |- Filter | |- Currently failed: 0 | |- Total failed: 13 | `- File list: /var/log/httpd/error_log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.1

 

Configure fail2ban to Secure nginx Web Server:

Just like Apache, we also have a fail2ban jail defined for nginx authentication failures. Therefore, we are going to enable and test it.

We have configured a nginx web server with basic http authentication. and now we are using it for demonstration purpose.

[root@fail2ban-01 ~]# sed -i "/^\[nginx-http-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service

Browse URL http://fail2ban-01.example.com using a client's browser.

The website will ask you for login credentials.

Perform login attempt with wrong credentials 6 times and the host will be banned by fail2ban automatically for the predefined bantime.

[root@fail2ban-01 ~]# fail2ban-client status nginx-http-auth Status for the jail: nginx-http-auth |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/nginx/error.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.1

 

Configure fail2ban to Secure MariaDB Server:

There are rare cases when we expose MariaDB service port to the network. However, exposing the default port for MariaDB also exposes it to various threats.

Therefore, in such cases, we can use fail2ban to secure MariaDB against brute force, dictionary, DOS and DDOS attacks.

[root@fail2ban-01 ~]# sed -i "/^\[mysqld-auth\]/a\\enabled=true" /etc/fail2ban/jail.local [root@fail2ban-01 ~]# systemctl restart fail2ban.service

MariaDB server default log level is 1 and MariaDB does not record failed login attempts in log file when log level is 1.

In this case, fail2ban does not work because it doesn’t find any login failures in MariaDB log file.

Therefore, we have to increase the log level of MariaDB server, so, it can record failed login attempts in log files.

Use the following commands to increase log level of MariaDB server.

[root@fail2ban-01 ~]# sed -i "/^\[mysqld\]/a\\log-warnings=2" /etc/my.cnf [root@fail2ban-01 ~]# systemctl restart mariadb.service

Perform multiple login attempts with wrong username/password from another host. The fail2ban will ban the host  for the predefined bantime, because of the suspicious activity.

[root@fail2ban-tester ~]# mysql -u ahmer -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'ahmer'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u root -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'root'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u root -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'root'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r1 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r1'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r2 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r2'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r4 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r4'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r5 -p12a -h 192.168.116.171 ERROR 1045 (28000): Access denied for user 'r5'@'192.168.116.152' (using password: YES) [root@fail2ban-tester ~]# mysql -u r7 -p12a -h 192.168.116.171 ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.116.171' (111)

Check the status of mysqld-jail using fail2ban-client command.

[root@fail2ban-01 ~]# fail2ban-client status mysqld-auth Status for the jail: mysqld-auth |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/mariadb/mariadb.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.116.152

We have successfully installed fail2ban on CentOS 7 and configured fail2ban to secure ssh, Apache, Nginx and MariaDB servers against brute-force, dictionary, DOS and DDOS attacks.

Install fail2ban to Secure CentOS 7 servers


YOU MIGHT ALSO LIKE:

1 comment: