Installing fail2ban on CentOS 7
Try installing fail2ban
from EPEL. It's packaged for CentOS 7 and you'll get updates as they are released. Installing the rpm
form another repo may work (it did in this case) but is not the best way of doing things.
First of all, install the EPEL repository by issuing the following (as root):
yum install epel-release
The above should install EPEL and give you access to many new packages. One of those packages is fail2ban
, therefore install it by running:
yum install fail2ban
By default there are no jails configured, therefore to configure a basic sshd
jail:
Create/edit the file /etc/fail2ban/jail.local
and add:
[sshd]
enabled = true
Start it with:
systemctl start fail2ban
Make it start at boot time:
systemctl enable fail2ban
There used to be a known bug where SELinux would block fail2ban
from accessing the log files it needed to do its job. This seems to be fixed in the most recent version of CentOS 7; you shouldn't need to make the changes below.
If you do have this issue, symptoms are nothing appearing in the logs and nothing appearing as failed or blocked in the output of fail2ban-client status sshd
.
To check for SELinux error, read the journals with:
journalctl -lfu fail2ban
Watch them for messages such as:
SELinux is preventing /usr/bin/python2.7 from getattr access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed getattr access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Therefore do as suggested and run:
grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Then, to be safe, restart fail2ban
:
systemctl restart fail2ban
You may even have to repeat the process above until no more error messages appear in the log.
If your server is on the internet then monitor fail2ban-client status sshd
. It will soon start to show failed and banned counts if you've caught all the SELinux issues.
Note that you will have to keep an eye on your SELinux policy updates. If a selinux-policy
package update appears, it may overwrite the above and you may need to run the above commands again. You'll know if this is the case as fail2ban
will stop working again!
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT over 1 year
I am using @GarethTheRed 's answer to this question to install fail2ban on a remote CentOS 7 server. I am able to complete all the steps up until
tail -f /var/log/fail2ban.log
, at which point I get different results than he gets in his answer.Here are the results I am getting at this step:
[[email protected] ~]# tail -f /var/log/fail2ban.log 2014-12-02 16:55:53,548 fail2ban.server.server[6667]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-12-02 16:55:53,550 fail2ban.server.database[6667]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-12-02 16:55:54,239 fail2ban.server.database[6667]: WARNING New database created. Version '2'
After the last line, I just get a cursor but no command prompt unless I type
Ctrl-C
.When I type
systemctl status fail2ban
, it tells me thatfail2ban
is active. When I log out of the system and log back in later,sshd
tells me that there have been many failed attempts to login since my last login. So there should befail2ban
logs. But I cannot seem to find them.Can someone show me how to get this set up so that
fail2ban
generates logs that I can track?-
codewaggle over 9 yearsDid you check the file permissions? I've wasted time more than once only to find that the permissions were the problem.
-
garethTheRed over 9 years
fail2ban
is now in the EPEL repo. Try installing it from there. Uninstall the current version and make sure that there are no residual config files etc. Then install from EPEL. I've got it running on a CentOS 7 machine without any issues. -
garethTheRed over 9 yearsI told a small lie in the last comment - I forgot that I had to fix it a while ago. Long answer below...
-
-
RabT over 9 yearsThank you so much. Should I take specific steps to uninstall fail2ban first? Or is that handled automatically in the steps you provided above?
-
garethTheRed over 9 yearsI'd uninstall the version from Fedora 20 first and make sure that the directory
/etc/fail2ban
is deleted. -
Rahil Wazir over 7 yearsThat
enabled = true
part worked. I read everywhere that ssh is configured and enabled by default but this was not true.