How to Install and Configure Fail2ban on CentOS 7, CentOS 6.x and Ubuntu 14.04

This is a step by step guide on installing and configuring Fail2ban software on CentOS 7, CentOS 6.x and Ubuntu 14.04 Server. It is easy to follow and working.
Basic Theory on Fail2ban
As all the services exposed to the internet are susceptible to attacks, hackers and bots may compromise to get into the system.This is a security concern that need to be avoided, and this is exactly where Fail2ban comes in.
Fail2ban scans log files for services like SSH,SMTP,FTP,SIP,Apache, e.t.c and bans IP addresses that show the malicious signs i.e. too many password failures that seeks for exploits. Fail2ban helps you avoid attacks like Brute force.
Fail2ban works by monitoring the logs of common services to spot patterns in authentication failures. After fail2ban has been configured to monitor the logs of a service, it looks at a filter for that service.The filter identifies authentication failures by using complex regular expressions, Regular expression patterns are located in a variable called failregex.
> jail.conf and jail.local file contains [DEFAULT] section, sections for individual services follows this section.The DEFAULT section is executed first,
> Files in /etc/fail2ban/jail.d/ can override files in both jail.conf and jail.local
Installing Fail2ban on Ubuntu 14.04 server

sudo apt-get update
 sudo apt-get install fail2ban

Installing Fail2ban on CentOS 7 and 6.x
Step 1: Login to your server as root user.

sudo su -

su -

Step 2: If you have new installation of CentOS , do system update ( Optional)

yum -y update

Since Fail2ban is not available on CentOS official repository, We’ll use EPEL(Extra Packages for Enterprise Linux) repo to install Fail2ban. Add them first:

yum -y install epel-release 
sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo

Step 3: Install Fail2ban

yum --enablerepo=epel install fail2ban fail2ban-systemd

See screenshots below for dependencies that will be downloaded.

After successful installation, you should see results similar to one below.

Step 4: If you have a working SELinux, update SELinux policies.

yum update -y selinux-policy*

If you want to disable SELinux, run

sed -i 's/(^SELINUX=).*/SELINUX=disabled/' /etc/selinux/config

Then confirm if disabled by typing:

sestatus

You should see message

SELinux status:  disabled

Basic Configurations.
Once the installation is complete, copy the default jail.conf file to make a local configuration file. Default Fail2ban configuration file is kept under /etc/fail2ban/jail.conf.Use the command below to create a local copy of jail.conf

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The jail.local file overrides the jail.conf file and is used to make your custom configuration update safe.
Step 5: Open the jail.local file for editing. You can use Nano or VIM editor.

nano /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

The first section is the [ DEFAULT ] section, it covers the basic rules that fail2ban will follow.

The DEFAULT settings apply to all sections and important parameters specified on DEFAULT context are:
ignoreip: Can be an IP address, a CIDR mask or a DNS host. Fail2ban will not ban a host which matches an address in this list.This is a space-separated list of IP addresses that cannot be blocked by fail2ban
maxretry: Maximum number of failed login attempts before a host get banned by fail2ban.
bantime: Time in seconds that a host is banned if it is found to be in violation of any of the rules.. Default is 600 seconds = 10 minutes. This is especially useful in the case of bots, that once banned, will simply move on to the next target
protocol: default protocol being used.
findtime: A host is banned if it has generated “maxretry” during the last “findtime”.The default setting is 600 seconds ( 10 minutes).A client that unsuccessfully attempts to log in 3 times within a 10 minute window will be banned by Fail2ban.
destemail: Email address to receive ban messages alerts
# Email action parameters
sendername: Name of the sender of alerts. Sets the value of the “From” field in the email.
mta: Configures mail service used to send emails.

Service Configurations
Let’s take a closer look at basic SSH jail file

[sshd]
enabled = true
port = ssh
filter = sshd
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Explanation:
enabled : This means that Fail2ban is allowed to check for ssh service
port: service port ( referred in /etc/services file )
filter: This refers to the config file with the rules that fail2ban will use to detect matche. The name correspond to file located in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’. The name is a shortened version of the file extension.
logpath: Refers to the log file that fail2ban should use to check for failed login attempts.
Action: Tells fail2ban steps to take to ban a matching IP address. The file referred to here is located in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.
Step 6: Now restart Fail2ban service to make the new configuration take effect.

sudo service fail2ban restart

Step 7: Running Fail2Ban service
Start and enable both Fail2ban and Firewalld

systemctl enable fail2ban
systemctl start fail2ban

Start and enable Firewalld daemon.

systemctl enable firewalld
systemctl start firewalld

How to check for banned IPs by Fail2Ban

iptables -L -n

How to check for Fal2Ban jails Status

sudo fail2ban-client status

Step 8: How to Unban an IP address

fail2ban-client set sshd unbanip IPADDRESS

You can also unban and ban ip address manually using below command syntax:
sudo fail2ban-client set <jail> banip/unbanip <ip address>
e.g

sudo fail2ban-client set sshd unbanip 192.168.1.45
sudo fail2ban-client set sshd banip 192.168.1.45

sshd: Is the name of the jail, in this case the “sshd” jail that we configured in step 4.
IPADDRESS: IP which needs to be unbanned or banned
Use iptables command to see the rules that fail2ban puts in IP table:

iptables -L

Conclusion

Fail2Ban consists of a client, server and configuration files to limit brute force authentication attempts.The server program fail2ban-server is responsible for monitoring log files and issuing ban/unban commands. It gets configured through a simple protocol by fail2ban-client, which can also read configuration files and issue corresponding configuration commands to the server.
In this tutorial we covered step by step installation of Fail2ban on CentOS 7 and CentOS 6.x server. We also looked at basic configuration settings and DEFAULT context parameter. In our next tutorial, we’ll talk about how to Add a jail file to protect SSH, Apache and Other Server services.
To get basic configurations after CentOS server installation read:

Top Things to do after fresh installation of CentOS 7 minimal