How to Protect Apache and SSH With Fail2Ban on CentOS 8

If you’re a system administrator, then protecting your server from different kinds of attacks is an essential part of your job; Fail2Ban firewall can help you achieve this. Fail2Ban is an intrusion prevention system written in the Python language used to block malicious IPs that are trying to breach your system security. It works by scanning various log files and blocking the IPs that are trying to make frequent login attempts for a specified bantime.  It also allows you to monitor the strength and frequency of attacks. Due to its simplicity, it is considered the preferred software to secure your server from DOS, DDOS, and brute-force attacks.

In this tutorial, we will show you how to secure an SSH and Apache server with Fail2Ban on CentOS 8.

Step 1 – Install Fail2Ban

By default, Fail2Ban is not available in the CentOS 8 default repository, so you will need to install the EPEL repository in your system.

You can install it with the following command:

dnf install epel-release -y

After installing the EPEL repository, you can install Fail2Ban with the following command:

dnf install fail2ban -y

Once installed, start the Fail2Ban service and enable it to start after system reboot:

systemctl start fail2ban
systemctl enable fail2ban

Step 2 – Secure SSH with Fail2Ban

In this section, we will learn how to secure the SSH server with Fail2Ban.

Configure Fail2Ban for SSH

By default, all pre-set jails are located inside /etc/fail2ban/jail.conf file. This is not an appropriate way to edit the default jail.conf file. You should create a separate jail.local file for each service that you want to configure.

You can create a jail.local file for SSH with the following command:

nano /etc/fail2ban/jail.local

Add the following lines:

[DEFAULT]
ignoreip = your-server-ip
bantime = 300
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd

[sshd]
enabled = true

Save and close the file when you are finished. Then, restart the Fail2Ban service to apply the changes:

systemctl restart fail2ban

You can now check the status of SSH jail with the following command:

fail2ban-client status

You should see that an SSH jail is enabled:

Status
|- Number of jail:        1
`- Jail list:        sshd

A brief explanation of each parameter is shown below:

• ignoreip: Used to define the IP addresses that you want to be ignored.
• bantime: Used to define a number of seconds the IP address will be banned for.
• findtime: Used to define the amount of time between login attempts before the IP is banned.
• maxretry: Used to define the number of attempts to be made before the IP address is banned.
• banaction: Banning action.
• enabled: This option enables the protection for SSH service.

Test SSH Against Password Attacks

At this point, Fail2Ban is installed and configured. It’s time to test whether it is working or not.

To do so, go to the remote machine and try to SSH to the server IP address:

ssh root@server-ip

You will be asked to provide the root password. Type the wrong password again and again. Once you reach the login attempt limit, your IP address will be blocked.

You can verify your blocked IP address with the following command:

fail2ban-client status sshd

You should see your blocked IP in the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:   7
|  |- Total failed:          39
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:        2
   `- Banned IP list:     190.8.80.42

You can also check the SSH log for failed logins:

tail -5 /var/log/secure | grep 'Failed password'

You should see the following output:

Mar  1 03:55:03 centos8 sshd[11196]: Failed password for invalid user bpadmin from 190.8.80.42 port 55738 ssh2

You can also block and unblock a specific IP address manually.

For example, to unblock the IP 190.8.80.42, run the following command:

fail2ban-client set sshd unbanip 190.8.80.42

To block the IP 190.8.80.42, run the following command:

fail2ban-client set sshd banip 190.8.80.42

Step 3 – Secure Apache with Fail2Ban

You can also secure the Apache webserver from different kinds of attacks. You will need to configure jail.local file for Apache as shown below:

nano /etc/fail2ban/jail.local

Add the following lines at the end of the file:

[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

Save and close the file when you are finished. Then, restart the Fail2Ban service to implement the changes:

systemctl restart fail2ban

You can now verify the status of all jails with the following command:

fail2ban-client status

You should see the following output:

Status
|- Number of jail:        5
`- Jail list:        apache-auth, apache-badbots, apache-noscript, sshd

A brief explanation of each jail is shown below:

• apache-auth: This jail is used to protect Apache from failed login attempts.
• apache-badbots: This jail is used to ban hosts which agent identifies spammer robots crawling the web for email addresses.
• apache-noscript: Used to block the IP which is trying to search for scripts on the website to execute.

Conclusion

In the above tutorial, we learned how to protect SSH and Apache server with Fail2Ban. It is a very useful intrusion prevention system that adds extra security to your Linux system. You are now able to configure Fail2Ban that will suit your specific security needs. Get started with Fail2Ban today with VPS Hosting from Atlantic.Net!