Using fail2ban on Fedora

prisoner jail crime
Thinkstock

The fail2ban tool in Linux monitors system logs for signs of attacks, putting offending systems into what is called "jail", and modifying firewall settings. It shows what systems are in jail at any given time, and requires root access to configure and view findings. It's generally used on Linux servers.

fail2ban primarily focuses on SSH attacks, but can be configured to look for other kinds of attacks as well.

How to install fail2ban on Fedora 34

To prepare for installing fail2ban, it's a good idea to update the system first:

$ sudo dnf update && sudo dnf upgrade -y

Then install fail2ban and verify its presence on your system with commands like these:

$ sudo dnf install fail2ban
$ find /var -name fail2ban
/var/lib/fail2ban

To start the service, run these commands:

$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban

Next, you need to set up a jail.local file in /etc/fail2ban. Adding content like this will allow it to watch for failed SSH connections, which could indicate someone trying to login by guessing passwords.

$ cat /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/fail2ban.log
maxretry = 3

Note that the above will get fail2ban to block ssh connections after three failed login attempts (see the maxretry setting). You can change these settings if you want, but allowing three chances is fairly common. Even legitimate users mistype passwords from time to time.

fail2ban will automatically add rules to your firewall to protect your server. A command like this will display the effect in the firewall rules:

$ sudo iptables -n -L --line-numbers | grep unreachable
2 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Testing fail2ban actions

If you try to log into an account from a different system using SSH, but mistype the password three times in a row, the account should be blocked. You can then view the jailed systems with a command like this:

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list: 192.168.0.17	<== jailed system

Since this was intended as just a test to see how the tool works, you likely want to re-enable the system to connect to the server. You can get a system immediately out of jail with a command like this:

$ sudo fail2ban-client set sshd unbanip 192.168.0.17

Read "unbanip" as "un-ban IP".

If you add a bantime setting to your jail.local file, you can limit how long the lockout will last. The value must be specified in seconds:

$ cat jail.local
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 120                   <== 2 minutes

In the above example, we've only locked users out for two minutes (120 seconds). This allows us to wait a bit and then check to ensure that we can log in again. The timeout defaults to 10 minutes (600 seconds).

After you fail to log in from the other system, you will see something like this when you check fail2ban:

$ sudo fail2ban-client status sshd
[sudo] password for shs:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1	<== one system has been blocked
   |- Total banned:     1
   `- Banned IP list:   192.168.0.17  <== IP of banned system

When trying to connect from the blocked system, you will see "Connection refused" messages. After two minutes, you can try logging in again. On the server, you will also see the change reflected in the status output:

$ sudo fail2ban-client status sshd
[sudo] password for shs:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0	<== no systems blocked
   |- Total banned:     1
   `- Banned IP list:

Viewing fail2ban's log data

You can find evidence of fail2ban's activities in its log file. Notice that the first ban lasted 10 minutes (the default) and the second two only two (after changing settings for the test).

$ sudo egrep "Ban|Unban" /var/log/fail2ban.log
2022-03-10 15:20:50,913 fail2ban.actions   [3870239]: NOTICE [sshd] Ban 192.168.0.17
2022-03-10 15:30:50,012 fail2ban.actions   [3870239]: NOTICE [sshd] Unban 192.168.0.17
2022-03-11 11:34:09,024 fail2ban.actions   [4055193]: NOTICE [sshd] Ban 192.168.0.17
2022-03-11 11:36:09,011 fail2ban.actions   [4055193]: NOTICE [sshd] Unban 192.168.0.17
2022-03-11 12:18:23,825 fail2ban.actions   [4057814]: NOTICE [sshd] Ban 192.168.0.17
2022-03-11 12:20:23,778 fail2ban.actions   [4057814]: NOTICE [sshd] Unban 192.168.0.17

Wrap-Up

The fail2ban tool can also work with other connections besides SSH and can even be configured to send alerts in addition to jailing and un-jailing connections based on your selected settings.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2022 IDG Communications, Inc.