Fail2ban
From Nuclear Physics Group Documentation Pages
This article contains instructions on installing and configuring fail2ban and also some useful tips for administering it.
Installing
- The fail2ban RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
- Install fail2ban via yum:
yum install fail2ban
Configuring
- Edit the /etc/fail2ban/jail.conf and change the following settings.
- Change bantime to 24 hours (in seconds)
bantime = 86400
- Change ssh-iptables jail (enabled by default) to 3 login attempts and not to send mail. An example config section is provided below.
- Change bantime to 24 hours (in seconds)
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] #sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 6
- Start the fail2ban service.
/usr/bin/fail2ban-client start
- Note: Always start it from the fail2ban-client and not service because it will tell you if you have any errors in your config, whereas the service will just fail.
- Set fail2ban to start at boot time.
chkconfig fail2ban on
Unbanning
- Run iptables -L and find the ip address you want to unban. Note: the chain listed in iptables is not the jail the ip is contained. Check the fail2ban config if you don't know the jail name.
- Run the following commands as root.
fail2ban-client get <jailname> actionunban <ip address>
fail2ban-client reload