To install fail2ban on CentOS/RHEL 7, you first need to make sure you have the EPEL repository enabled. Then you can simply install it with yum as usual.
# yum install fail2ban
Configure fail2ban
You will need to create a file call jail.local. To do this, make a copy of jail.conf (do not edit this file), and edit that.
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # vim /etc/fail2ban/jail.local
To enable fail2ban to work with SSH, make sure enabled=true is somewhere under the [sshd] section.
[sshd] enabled = true
To make sure fail2ban is started and has picked up your changes, run the below.
# systemctl enable fail2ban.service # systemctl restart fail2ban.service
Check Service
You should always check the service you have installed is working correctly. Fail2ban logs its messages to /var/log/fail2ban.log, so you can check its working by tailing the log file.
tail -f /var/log/fail2ban.log
You should hopefully see something like this if you watch it for long enough.
2015-02-21 16:39:34,644 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151 2015-02-21 16:39:36,658 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151 2015-02-21 16:39:39,671 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151 2015-02-21 16:39:41,679 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151 2015-02-21 16:39:45,694 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151 2015-02-21 16:39:46,658 fail2ban.actions [4609]: NOTICE [sshd] Ban 115.230.126.151 2015-02-21 16:39:47,712 fail2ban.filter [4609]: INFO [sshd] Found 115.230.126.151
If your log file fills up with messages like the below, you will either have to create PTR record that matches your servers FQDN or disable fail2ban from using DNS.
... 2015-02-21 16:23:30,756 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,771 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,784 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,823 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,836 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,980 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:30,993 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:31,888 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] 2015-02-21 16:23:31,934 fail2ban.filter [4609]: WARNING Determined IP using DNS Lookup: pc-cerc-249.upc.edu = ['147.83.135.249'] ...
I resolved this issue by creating a PTR. However, the alternative is to make sure fail2ban does not use DNS:
# vim /etc/fail2ban/jail.local
Make sure the usedns = no is present within the [DEFAULT] section.
[DEFAULT] usedns = no
And as usual, restart the service.
# systemctl restart fail2ban.service
Related Documents
How to Install Fail2Ban on CentOS
fail2ban on CentOS 7 for ssh access
Hostnames or IP Addresses
Be the first to comment