Fail2Ban scans log files and bans IPs that show the malicious signs e.g. too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured.
- Add the EPEL release
yum install epel-release
- Install the Fail2Ban package
yum install fail2ban
- enable the service
systemctl enable fail2ban
This will create a bunch of pre-configured "jails" in
/etc/fail2ban/. You will then need to create your own configuration file in
/etc/fail2ban/jail.local and paste the following in:
[DEFAULT] # Ban hosts for one hour bantime = 3600 # ignoreip can be an IP address, a CIDR mask or a DNS host. # Fail2Ban will not ban a host which matches an address in this list. # Several addresses can be defined using space (and/or comma) separator. # Best to add office VPN IP and any client IP's here too. ignoreip = 127.0.0.1/8 # Override /etc/fail2ban/jail.d/00-firewalld.conf banaction = iptables-multiport [sshd] enabled = true [sshd-ddos] enabled = true [mysqld-auth] enabled = true; # Nginx specific - omit on Apache # Detects password authentication failures. [nginx-http-auth] enabled = true # Nginx specific - omit on Apache [nginx-botsearch] enabled = true # Apache specific - omit on nginx # Detects password authentication failures. [apache-auth] enabled = true # Apache specific - omit on nginx # detects sppamer bots crawling email addresses. [apache-badbots] enabled = true # Apache specific - omit on nginx # detect potential search for exploits [apache-noscript] enabled = true # Apache specific - omit on nginx # detects apache overflow attempts [apache-overflows] enabled = true
After adding the above, restart the service with
systemctl restart fail2ban and check the jails are running with
fail2ban-client status. This will list all running jails.
To check the status of any running jails use
fail2ban-client status [NAME OF JAIL] e.g.
fail2ban-client status sshd
to view a log of the recent actions, look in
Extra custom jails¶
If you get lots of repeated requests to a URL such as the admin or any form of obvious brute force attempts, the configuration below will block repeated POST requests to a given URL, in this case /admin.
Any new jails always go in a file within
Add the following to
[Definition] # Match these lines to find a login fail failregex = ^<HOST> .*\"POST \/admin[^\"]+\" # don't ignore anything ignoreregex =
Then add the below to
[apache-post] enabled = true # Block these ports port = http,https # Uses the filter from /etc/fail2ban/filter.d/apache-postflood.conf filter = apache-post logpath = /var/log/httpd/access.log findtime = 600 maxretry = 5
If the service will not start, then try running /usr/bin/fail2ban-client -v -v start to see what the exact error is.
The most common issue for the service not to start is if log files are missing and/or can't be written to. This is usually only an issues if they're not in the default directory. If this is the case you will need to override the
logpath parameter for each of the affected jails, in your
Try to stick to a standard format for these log files across servers so that they're easy to find e.g. /var/log/(apache|nginx|httpd)/fail2ban/[JAILNAME] you will need to manually create the directories and files as well.
[nginx-http-auth] enabled = true logpath = /var/log/nginx/fail2ban/nginx-http-auth.log