Install Fail2Ban on CentOS 5.6 (and 5.5, 5.4)

Fail2ban is an intrusion prevention framework which scans the log files on your system (such as: var/log/secure) and spots repeated password failures.

Too many failures, and it will update your firewall to drop all traffic from the offending IP address. Pretty handy, and enough to stop the casual hacker with a dictionary attack.

Fail2ban is very flexible and can be configured to work with any service that writes to a logfile, but here’s the basics to get you up and protected in a few minutes.

1. Get the files

cd to /tmp for a nice place for them to land, then

wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download

2. Extract them

tar -xf fail2ban-0.8.4.tar.bz2

3. Head to the new directory and install

cd fail2ban-0.8.4

then (you need to have python installed)…

python setup.py install

All installed ok?

4. Get it starting up automatically

cp files/redhat-initd /etc/init.d/fail2ban

chkconfig --add fail2ban

chkconfig fail2ban on

5. Config

You’ll need to turn some stuff on, and fiddle with settings to your liking in:

/etc/fail2ban/jail.conf

If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure

You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.

Once you’re configured, start the service with:

service fail2ban start

And you’re done.

12 thoughts on “Install Fail2Ban on CentOS 5.6 (and 5.5, 5.4)

  1. Thanks! This is a great guide. Just had to format my servers drives and start fresh. Hacker got in and was running botnet scripts and what not!

  2. /etc/fail2ban/jail.conf: line 61: syntax error near unexpected token `(‘

    /etc/fail2ban/jail.conf: line 61: `action_ = %(banaction)s[name=%(__name__)s, port=”%(port)s”, protocol=”%(protocol)s”, chain=”%(chain)s”]’

  3. Thank you, this worked fine.
    But one question. After Fail2ban has been installed is it ok to delete all the Fail2ban files and folders from the /tmp folder..?
    I’m 90% sure Fail2ban does not use files in the /tmp folder once it is installed.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>