Fail2ban is an intrusion prevention software that protects servers from

brute-force attacks.It can protect your SSH service against Brute force
attacks by blocking the source IP, putting a break on the attack.This
post is about how to configure fail2ban to secure your server.

we will start by installing fail2ban in our server.

Install Fail2ban on CentOS 7

we will install fail2ban from Extra Packages for Enterprise Linux or EPEL for
short.
we will install fail2ban with additional packages to support systemd,
sendmail for mail notifications and firewalld.

[root@debyum ~]# yum update

[root@debyum ~]# yum install epel-release -y

[root@debyum ~]# yum install fail2ban fail2ban-systemd fail2ban-firewalld fail2ban-send
mail -y

we will also update these SELinux security policy packages, if theres any
update available.

selinux-policy.noarch
selinux-policy-targeted.noarch
[root@debyum ~]# yum update selinux-policy*

Enable the service.

[root@debyum ~]# systemctl enable fail2ban

Configuring Fail2ban.
All the files of fail2ban service are stored in /etc/fail2ban directory. heres a
list of files in /etc/fail2ban directory.
[root@debyum ~]# ls -l /etc/fail2ban/

total 64

drwxr-xr-x. 2 root root 4096 Oct 15 12:23 action.d

-rw-r--r--. 1 root root 2328 Aug 1 2015 fail2ban.conf

drwxr-xr-x. 2 root root 4096 Sep 12 2015 fail2ban.d

drwxr-xr-x. 3 root root 4096 Oct 15 12:48 filter.d

-rw-r--r--. 1 root root 18562 Sep 12 2015 jail.conf

drwxr-xr-x. 2 root root 4096 Oct 15 12:40 jail.d

-rw-r--r--. 1 root root 1939 Aug 1 2015 paths-common.conf

-rw-r--r--. 1 root root 642 Aug 1 2015 paths-debian.conf

-rw-r--r--. 1 root root 743 Aug 1 2015 paths-fedora.conf

-rw-r--r--. 1 root root 1174 Aug 1 2015 paths-freebsd.conf

-rw-r--r--. 1 root root 290 Aug 1 2015 paths-osx.conf

Jail.conf is the main configuration file but we wont edit this file as it can be
overwritten by package upgrades.
To avoid that we can create a local configuration file
at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf.
we will use /etc/fail2ban/jail.local and will place our configuration in this
file.Any values defined in this file will override the same values of jail.conf.

First we will stop fail2ban from using dns.

[root@debyum fail2ban]# vi jail.local

[DEFAULT]

usedns = no

we will set the list of IPs we want fail2ban to ignore. These can be ips of
your personal computer or other devices that you trust.
we can do this by defining ignoreip variable
[root@debyum -]# cd /etc/fail2ban

[root@debyum fail2ban]# vi jail.local

......

......

ignoreip = 127.0.0.1/8 192.168.122.0/24

If you have many services configured as jails in fail2ban and want

to whitelist IPsonly for specific jails then you can do this with the help of
fail2ban-client command.
fail2ban-client set JAIL addignoreip 192.168.122.0/24

for example if you want to whitelist IPs only for SSH then use.
fail2ban-client set sshd addignoreip 192.168.122.0/24

we will set the bantime parameter which sets the length of time that a client
will be banned when they fail to authenticate correctly. we will set it to 600
seconds or 10 mins.

Edit jail.local file and add these lines.

[root@debyum fail2ban]# vi jail.local

......
......

# Ban hosts for one hour:

bantime = 600

now we will use maxtry and findtime to set a condition in which a user can
have max of 3 ( maxtry) attempts in 10 mins ( findtime) . After 3 failed
attempts the user will be banned for 10 mins ( bantime ).

Edit jail.local file and add these lines.

[root@debyum fail2ban]# vi jail.local

......

......

# Fail2ban will ban a client that unsuccessfully attempts to log in 3 times within a 10 minut
e window.

maxtry = 3

findtime = 600

You should set maxtry as low you can afford and set bantime as high you want.
If you running nginx and have password protected some part of website that
you want to protect against brute-force attacks, then enable [nginx-http-
auth] to protect this service.
[root@debyum fail2ban]# vi jail.local

......
......

[nginx-http-auth]

enabled = true

In short your jail.local should look like this.

cat jail.local

[DEFAULT]

# Ban hosts for one hour:

bantime = 3600

maxtry = 5

findtime = 600

ignoreip = 127.0.0.1/8 192.168.122.0/24

[nginx-http-auth]

enabled = true
fail2ban.filtersystemd Issue.
Theres an issue in fail2ban working with systemd which can be resolved with
a minor change in /etc/fail2ban/jail.d/00-systemd.conf file.

The error message is :

Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries,
which is not advised for performance reasons.

To solve this error change the value of backend variable

from systemd to auto.
[root@debyum fail2ban]# cat jail.d/00-systemd.conf

[DEFAULT]

backend=auto

Confiuring SSH.
Now we will enable SSH jail in fail2ban and then we will configure the SSH
service parameters to make it work.

The best way to configure a service in fail2ban is to create dedicated file for
that service in jail.d directory.
So we will create a file named sshd.local in jail.d directory.
[root@debyum fail2ban]# vi jail.d/sshd.local

[sshd]

enabled = true
port = ssh

#action = firewallcmd-ipset

logpath = %(sshd_log)s

maxretry = 5

bantime = 600

To check If we have configured everything correctly, restart the fail2ban

service.

[root@debyum fail2ban]# systemctl restart fail2ban.service

And then use fail2ban-client status to check the status of service.

[root@debyum fail2ban]# fail2ban-client status

Status

|- Number of jail: 2

`- Jail list: nginx-http-auth, sshd

Configuring Mail notifications for fail2ban

First we need to install sendmail.
[root@debyum fail2ban]# yum install sendmail -y
We can configure the fail2ban to notify the owner about the failed
authentication attempts or Brute force attacks.

To configure mail notifications in fail2ban, edit jail.local file:

[DEFAULT]

bantime = 600

sender = fail2ban@debyum.com

destemail = engy@debyum.com

action = %(action_mwl)s

Restart the fail2ban service.

[root@debyum fail2ban]# systemctl restart fail2ban.service

To check the log file:

sudo tail /var/log/fail2ban.log

Conclusion
Fail2ban is very easy to configure and very useful in protecting your services
that uses authentication against brute-force attacks. Configure it carefully.
If you want to learn more about hardening SSH service in detail than you
you should read this post.
Thats all you need to know on How to configure Fail2ban to secure your
server.
I have tried to cover all the basic to advance concepts with their examples.
Still if I have made any kind of mistake or missed anything please update us
through comment box. I will keep updating the same based on feedbacks
received.
Fuente: https://www.debyum.com/secure-server-using-fail2ban/