Efficient Way To Install and Configure Fail2ban on AlmaLinux 9

By Posted on

Efficient Way To Install and Configure Fail2ban on AlmaLinux 9

Efficient Way To Install and Configure Fail2ban on AlmaLinux 9

This tutorial aims to guide you through the process of installing and configuring Fail2ban on AlmaLinux 9. Fail2ban is widely considered an essential security tool for Linux servers, providing robust protection against automated attacks. It works by monitoring log files for suspicious activity, such as repeated failed login attempts, and then automatically banning the offending IP addresses. This proactive approach helps to mitigate brute-force attacks and other malicious activities that could compromise your server’s security. This article will demonstrate an Efficient Way To Install and Configure Fail2ban on AlmaLinux 9.

Now, let’s walk through the steps to install and configure Fail2ban on your AlmaLinux 9 server.

To fully configure Fail2ban on AlmaLinux 9, ensure you are logged in to your server as a non-root user with sudo privileges. It’s also recommended to have a basic firewall set up. If you haven’t already done so, you can refer to a guide on Initial Server Setup with AlmaLinux 9 for assistance.

1. Install Fail2ban on AlmaLinux 9

The Fail2ban package is conveniently located within the EPEL (Extra Packages for Enterprise Linux) repository for AlmaLinux 9. To begin, update your local package index to ensure you have the latest information about available packages:

sudo dnf update -y

Next, install the EPEL repository using the following command:

sudo dnf install epel-release -y

With the EPEL repository enabled, you can now proceed to install Fail2ban itself:

sudo dnf install fail2ban -y

Manage Fail2ban Service

Once the installation is complete, it’s crucial to start and enable the Fail2ban service to ensure it runs automatically on boot:

sudo systemctl enable --now fail2ban

To verify that the service is active and running correctly, use the following command:

sudo systemctl status fail2ban

The output should resemble the following, indicating that Fail2ban is running:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-03-21 14:30:00 UTC; 10s ago
       Docs: man:fail2ban(1)
   Main PID: 1234 (fail2ban-server)
      Tasks: 5 (limit: 4689)
     Memory: 15.7M
        CPU: 120ms
     CGroup: /system.slice/fail2ban.service
             └─1234 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf /etc/fail2ban/fail2ban.conf -dp /var/run/fail2ban/fail2ban.pid -s /var/run/fail2ban/fail2ban.sock

Now that Fail2ban is installed and running, let’s proceed to configure it to meet your specific security needs.

2. Fail2ban Configuration on AlmaLinux 9

The default Fail2ban installation includes two primary configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/00-firewalld.conf. To avoid directly modifying these default files (which could be overwritten during updates), it’s best practice to create a local configuration file based on jail.conf.

First, copy the jail.conf file to create a jail.local file:

sudo cp /etc/fail2ban/jail.{conf,local}

Now, open the jail.local file using your preferred text editor. Here, we’ll use the vi editor:

sudo vi /etc/fail2ban/jail.local

Within the jail.local file, you can customize various settings to tailor Fail2ban’s behavior to your environment.

IP addresses, IP ranges, or hosts that you want to exclude from being banned can be added to the ignoreip directive. This is useful for whitelisting trusted networks or specific machines.

Add your local PC IP address and any other machines you want to allow list to the ignoreip line. Uncomment the line by removing the hashtag and adding your IP addresses separated by spaces:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

The bantime setting determines the duration for which an IP address will be banned. The default is typically set to 10 minutes (10m). You can adjust this value to your liking.

Find the bantime line and modify the value. For example, to ban an IP for one day, use:

bantime = 1d

To permanently ban an IP, you can use a negative number.

The findtime setting specifies the duration during which Fail2ban will track failed attempts before triggering a ban.

The maxretry setting defines the number of failed attempts allowed within the findtime period before an IP address is banned. The default value is usually set to five, which is suitable for most users.

Fail2ban can also be configured to send email alerts when an IP address has been banned.

To enable email alerts, you need to have an SMTP server installed and configured on your server. Then, modify the action setting in the jail.local file. By default, it’s set to simply ban the IP:

action = %(action_)s

To receive email alerts, change it to:

action = %(action_mw)s

If you want to include relevant log entries in the email alerts, use:

action = %(action_mwl)s

You also need to adjust the sender and recipient email addresses:

destemail = admin@orcacore.com
sender = root@orcacore.com

Fail2ban Jails Configuration

Fail2ban utilizes the concept of "jails" to define the services it monitors and the actions it takes. A jail essentially describes a service, along with its associated filters and actions.

By default, on AlmaLinux 9, no Fail2ban jails are enabled. To enable a jail, locate the corresponding section in the jail.local file and add the enabled = true line after the jail title. For example, to enable the SSH jail:

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Once you’ve made your desired changes, save and close the jail.local file.

To apply the changes, restart the Fail2ban service:

sudo systemctl restart fail2ban

3. How To Use Fail2ban Service?

Fail2ban provides a command-line tool called fail2ban-client for interacting with the service.

To view all available options, use the following command:

fail2ban-client -h

This tool allows you to ban/unban IP addresses, modify settings, restart the service, and perform other administrative tasks. Here are a few examples:

To check the status of a specific jail (e.g., sshd), use:

sudo fail2ban-client status sshd

To unban an IP address from a specific jail, use:

sudo fail2ban-client set sshd unbanip 23.34.45.56

To manually ban an IP address in a specific jail, use:

sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

You have successfully learned how to Install and Configure Fail2ban on AlmaLinux 9. You also learned how to use the service and the command-line interface. Fail2ban on AlmaLinux 9 is an important part of server security.

Alternative Solutions for Intrusion Prevention

While Fail2ban is a powerful tool, it’s beneficial to explore alternative or complementary solutions for intrusion prevention. Here are two different approaches:

1. Using a Web Application Firewall (WAF):

A WAF is a security device that monitors and filters HTTP traffic between a web application and the Internet. Unlike Fail2ban, which primarily focuses on preventing brute-force attacks at the SSH or service level, a WAF protects against a wider range of web-based attacks, such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

Explanation:

A WAF works by analyzing incoming HTTP requests and comparing them against a set of predefined rules or signatures. If a request matches a known attack pattern, the WAF can block the request, redirect it to a honeypot, or log the event for further analysis. This approach provides a more granular level of control over web traffic and can help to prevent attacks that Fail2ban might miss.

Example using ModSecurity with Apache:

ModSecurity is a popular open-source WAF that can be integrated with Apache web server.

First, install ModSecurity and its Apache connector:

sudo dnf install mod_security mod_security-apache

Next, enable the ModSecurity module in Apache:

sudo a2enmod security2
sudo systemctl restart httpd

Then, download the OWASP ModSecurity Core Rule Set (CRS), which provides a set of pre-built rules for detecting common web attacks:

cd /etc/httpd/conf.d/
sudo wget https://github.com/coreruleset/coreruleset/archive/v4.0.0.tar.gz
sudo tar -xvzf v4.0.0.tar.gz
sudo mv coreruleset-4.0.0 crs

Finally, configure ModSecurity to use the CRS by creating a configuration file:

sudo vi /etc/httpd/conf.d/modsecurity.conf

Add the following lines to the modsecurity.conf file:

IncludeOptional /etc/httpd/conf.d/crs/crs-setup.conf
IncludeOptional /etc/httpd/conf.d/crs/rules/*.conf

Restart the Apache web server to apply the changes:

sudo systemctl restart httpd

With ModSecurity and the OWASP CRS enabled, your web application will be protected against a wide range of web-based attacks. This provides a more comprehensive approach to security than simply relying on Fail2ban to block IP addresses after a certain number of failed attempts.

2. Implementing Two-Factor Authentication (2FA):

Two-factor authentication (2FA) adds an extra layer of security to your server by requiring users to provide two different authentication factors before granting access. This significantly reduces the risk of unauthorized access, even if an attacker manages to obtain a user’s password.

Explanation:

With 2FA enabled, users will need to provide their password (the first factor) and a second factor, such as a code generated by a mobile app or a hardware token. This makes it much more difficult for attackers to gain access to your server, as they would need to compromise both authentication factors.

Example using Google Authenticator with SSH:

First, install the Google Authenticator PAM module:

sudo dnf install google-authenticator

Next, configure SSH to use the Google Authenticator module by editing the /etc/pam.d/sshd file:

sudo vi /etc/pam.d/sshd

Add the following line to the file, above the existing @include common-auth line:

auth required pam_google_authenticator.so nullok

Then, configure SSH to require password authentication by editing the /etc/ssh/sshd_config file:

sudo vi /etc/ssh/sshd_config

Change the PasswordAuthentication setting to yes and add the AuthenticationMethods setting to require both password and keyboard-interactive (which uses PAM):

PasswordAuthentication yes
AuthenticationMethods password keyboard-interactive

Restart the SSH service to apply the changes:

sudo systemctl restart sshd

Finally, run the google-authenticator command as each user who will be logging in via SSH:

google-authenticator

Follow the prompts to configure the Google Authenticator app on your mobile device.

With 2FA enabled, users will now need to provide a code from the Google Authenticator app in addition to their password when logging in via SSH. This significantly enhances the security of your server by making it much more difficult for attackers to gain unauthorized access. This approach complements Fail2ban on AlmaLinux 9 by preventing access even if passwords are compromised.

These alternative solutions, along with Fail2ban on AlmaLinux 9, can help to create a more robust and secure environment for your AlmaLinux 9 server.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *