Skip to main content

Once your server is set up and online, it becomes vulnerable to hackers' probes and attacks. Hackers use thousands of hosts to scan servers, exploit vulnerabilities, and crack passwords. Once they gain control of the server, they use it to send spam, run mining software, or attack other servers.

It is important that you protect your host once you have set up a server. By default, the Linux system comes equipped with a firewall that blocks access to ports other than the SSH service. However, if you want to provide services to the public, you will have to open the appropriate port, such as http, mail port (pop3, smtp), etc., to allow access to other hosts on the Internet.

To enhance the security of your system, it is important to not only use a firewall but also carefully configure the necessary services to minimize the risk of attacks and exploitation. In addition, you can use additional software to enhance the security of the system. Fail2ban is software that can protect your server from attackers. 

Fail2ban monitors the logs of the corresponding services in the system and adds the attacker's IP to the system firewall when the corresponding attack is found and exceeds the preset attack count, as defined in the configuration file. 

To install and configure Fail2ban in a CentOS system, follow these steps:

  1. Install fail2ban using yum:

    # yum install fail2ban
  2. Enable fail2ban to start automatically on boot:

    # systemctl enable fail2ban
  3. Create a configuration file by copying jail.conf to jail.local:

    # cd /etc/fail2ban 
    # cp jail.conf jail.local 

    The created jail.local file will take precedence over jail.conf, and the settings in jail.conf will be used only if the relevant settings do not exist in jail.local. 

  4. Open and edit jail.local file, delete all the sections you don't want to modify, only leave sections of the services you want to monitor.  The edited file should look like this:

          ignoreip =
          bantime  = 86400
          findtime  = 600 
          maxretry = 5 
          action = %(action_mwl)s 
          enabled= true 
          filter = postfix 
          bantime  = 864000 
          maxretry = 1 
          port     = smtp,465,submission 
          logpath  = %(postfix_log)s 
          backend  = %(postfix_backend)s 
          #action = firewallcmd-ipset 
          enabled = true 
          bantime  = 3153600 
          filter = dovecot 
          maxretry = 2 
          port    = pop3,pop3s,imap,imaps,submission,465,sieve 
          logpath = %(dovecot_log)s 
          backend = %(dovecot_backend)s 
          enabled = true 
          filter = postfix-sasl 
          bantime  = 864000 
          maxretry = 2 
          port     = smtp,465,submission,imap3,imaps,pop3,pop3s 
          logpath  = %(postfix_log)s 
          enabled  = true 
          filter   = drupal-auth 
          bantime  = 86400 
          maxretry = 3 
          port     = http,https 
          logpath  = %(syslog_daemon)s 
          backend  = %(syslog_backend)s 

    As shown in the above example configuration, we let fail2ban monitor postfix, devocot and drupal logs. In each section, filter is the name of corresponding filter configuration file in filter.d directory. You can either set maxretry and bantime to appropriate value or delete them and use default value defined in DEFAULT section. If you want to monitor other services, locate and copy the related sections from jail.conf to jail.local and enable them using enabled = true.

  5. Save and close the file.
  6. Restart fail2ban.

    # systemctl restart fail2ban