Install Fail2Ban on CentOS 5.6 (and 5.5, 5.4)

Fail2ban is an intrusion prevention framework which scans the log files on your system (such as: var/log/secure) and spots repeated password failures.

Too many failures, and it will update your firewall to drop all traffic from the offending IP address. Pretty handy, and enough to stop the casual hacker with a dictionary attack.

Fail2ban is very flexible and can be configured to work with any service that writes to a logfile, but here’s the basics to get you up and protected in a few minutes.

1. Get the files

cd to /tmp for a nice place for them to land, then

wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download

2. Extract them

tar -xf fail2ban-0.8.4.tar.bz2

3. Head to the new directory and install

cd fail2ban-0.8.4

then (you need to have python installed)…

python setup.py install

All installed ok?

4. Get it starting up automatically

cp files/redhat-initd /etc/init.d/fail2ban

chkconfig --add fail2ban

chkconfig fail2ban on

5. Config

You’ll need to turn some stuff on, and fiddle with settings to your liking in:

/etc/fail2ban/jail.conf

If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure

You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.

Once you’re configured, start the service with:

service fail2ban start

And you’re done.

  • Websurfer

    u00a0thank you for posting the easy to follow instructions…works well on centos 5.6 64bit.

    • Will Grant

      Most welcome!u00a0

  • Mário Santos

    Worked like a charm!

    Thanks!

    • Will Grant

      Mário, you are welcome!

  • josh

    Thanks for the instructions!

    • Will Grant

      No problem Josh – glad it worked well for you.

  • Anonymous

    Thanks! This is a great guide. Just had to format my servers drives and start fresh. Hacker got in and was running botnet scripts and what not!

    • Will Grant

      You’re welcome.

  • Genx

    Thanks alot buddy.. it really helped me.

  • sollom

    /etc/fail2ban/jail.conf: line 61: syntax error near unexpected token `(‘

    /etc/fail2ban/jail.conf: line 61: `action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]‘

  • Colin

    Thank you, this worked fine.
    But one question. After Fail2ban has been installed is it ok to delete all the Fail2ban files and folders from the /tmp folder..?
    I’m 90% sure Fail2ban does not use files in the /tmp folder once it is installed.

    • Will Grant

      Yep, all the /tmp stuff can be deleted once installed.