Sep 30, 2019
How to Protect CentOS 7 VPS: Installing Fail2Ban
In this article, you will learn how to install Fail2Ban on CentOS 7 – one of the most effective ways to ensure the safety of your server.
A server is never completely safe from online attacks, no matter how secure it is by default. Therefore, it is important to improve security by providing it with additional protection. That’s exactly what you can do with Fail2Ban on your VPS.
What Exactly is Fail2Ban?
Fail2Ban is a software that protects Linux-based web servers from brute-force, dictionary, DDoS, and DOS attacks. It provides arguably the best security measures for CentOS servers.
Fail2Ban works by monitoring system logs and banning potential attackers based on multiple unsuccessful login attempts. Once unwanted access is identified, Fail2Ban will directly use iptables and firewalld to block their IP addresses.
The installation requires you to have root access to the server through an SSH client like PuTTY (Windows) or the terminal shell (macOS and Linux). If you own Hostinger’s VPS hosting, you can find your login details in the Servers tab of the hPanel.
Is everything ready? Let’s install Fail2Ban on CentOS 7.
How to Install Fail2Ban on CentOS 7?
There are three steps for installing Fail2Ban on CentOS 7 – installing the EPEL repository, copying configuration files, and configuring Fail2Ban.
1. Install the EPEL Repository
First, you have to download the EPEL (Extra Packages for Enterprise Linux) repository which has Fail2Ban for CentOS 7 included. Run the following command:
sudo yum install epel-release
Once that is done, you can install Fail2Ban:
sudo yum install fail2ban
Secondly, don’t forget to enable and start the service by typing in these commands:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
2. Copy the Configuration Files
Fail2Ban on CentOS 7 will store its configuration file in /etc/fail2ban/jail.conf. However, package upgrades can delete it. That’s why we highly suggest that you move the content to a local config file called jail.local. To do this, we’ll use the cp command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now you can make changes to Fail2Ban’s configuration. Any value you define in jail.local will override what is already in jail.conf.
3. Configure Fail2Ban
It is time to configure the local config file using the nano text editor:
sudo nano /etc/fail2ban/jail.local
Inside it, you will find the DEFAULT section. It contains global settings that will be applied throughout the Fail2Ban service:
Here’s a short summary of each command.
- ignoreip – Fail2Ban will not ban any IP address, CIDR mask, or DNS host that you list here. You can write more than one entry by separating them with a space.
- bantime – is how many seconds you want the hosts to be banned from accessing your server.
- findtime – the time limit in which the login must be done. If a host fails to log in several times (defined by maxretry) during this period, it will be banned.
- maxretry – the maximum number of attempts for a host to try accessing the server.
You can change the values based on your needs. Once the modifications are made, save the configuration file with the CTRL+X shortcut.
You have to restart Fail2Ban for the change to take effect:
sudo systemctl restart fail2ban
Great! Now your Fail2Ban is up and running on your CentOS 7 server. We have got a few tips for you when using this service.
To monitor the status of Fail2Ban jails, you can use this command:
sudo fail2ban-client status
You can simply unban an IP address by entering the following line:
sudo fail2ban-client set <jailname> unbanip <ipaddress>
Remember to replace the information inside the brackets with your own.
Fail2Ban improves your CentOS 7 server’s security. It helps ban unwanted hosts that are trying to gain access to your server. What’s great is that it’s easy to install and configure.
We showed you how to install Fail2Ban on CentOS 7. Let’s take a look at the steps once again:
- Install the EPEL repository and Fail2Ban. Then, activate the service.
- Copy the content from the original configuration files to a local config file called jail.local.
- Configure Fail2Ban by modifying the values of ignoreip, bantime, findtime, and maxretry.
That’s it! If you have any questions, feel free to comment down below.