Once your server is set up and online, it becomes vulnerable to hackers' probes and attacks. Hackers use thousands of hosts to scan servers, exploit vulnerabilities, and crack passwords. Once they gain control of the server, they use it to send spam, run mining software, or attack other servers.
It is important that you protect your host once you have set up a server. By default, the Linux system comes equipped with a firewall that blocks access to ports other than the SSH service. However, if you want to provide services to the public, you will have to open the appropriate port, such as http, mail port (pop3, smtp), etc., to allow access to other hosts on the Internet.
To enhance the security of your system, it is important to not only use a firewall but also carefully configure the necessary services to minimize the risk of attacks and exploitation. In addition, you can use additional software to enhance the security of the system. Fail2ban is software that can protect your server from attackers.
Fail2ban monitors the logs of the corresponding services in the system and adds the attacker's IP to the system firewall when the corresponding attack is found and exceeds the preset attack count, as defined in the configuration file.
To install and configure Fail2ban in a CentOS system, follow these steps:
Install fail2ban using yum:
# yum install fail2ban
Enable fail2ban to start automatically on boot:
# systemctl enable fail2ban
Create a configuration file by copying jail.conf to jail.local:
# cd /etc/fail2ban # cp jail.conf jail.local
The created jail.local file will take precedence over jail.conf, and the settings in jail.conf will be used only if the relevant settings do not exist in jail.local.
Open and edit jail.local file, delete all the sections you don't want to modify, only leave sections of the services you want to monitor. The edited file should look like this:
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 86400 findtime = 600 maxretry = 5 action = %(action_mwl)s [postfix] enabled= true filter = postfix bantime = 864000 maxretry = 1 port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s #action = firewallcmd-ipset [dovecot] enabled = true bantime = 3153600 filter = dovecot maxretry = 2 port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [postfix-sasl] enabled = true filter = postfix-sasl bantime = 864000 maxretry = 2 port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(postfix_log)s [drupal-auth] enabled = true filter = drupal-auth bantime = 86400 maxretry = 3 port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s
As shown in the above example configuration, we let fail2ban monitor postfix, devocot and drupal logs. In each section,
filter
is the name of corresponding filter configuration file in filter.d directory. You can either setmaxretry
andbantime
to appropriate value or delete them and use default value defined in DEFAULT section. If you want to monitor other services, locate and copy the related sections from jail.conf to jail.local and enable them usingenabled = true
.- Save and close the file.
Restart fail2ban.
# systemctl restart fail2ban