Fail2ban

From Linux User Group at WUR
Jump to: navigation, search

fail2ban is an in-firewall means of preventing repeated attempts at logging in to a machine. As such, it interacts with the Puppet-controlled firewall under RHEL7 and Ubuntu. Here are the things you'll need to configure to get it going.

First, install it:

# yum install fail2ban

This will likely come with the fail2ban-firewalld package. We don't want this, so

# rm /etc/fail2ban/jail.d/00-firewalld.conf

In order to enable any jails, you'll need to set one to enabled=true. Editing jail.local is considered taboo, so to do this:

# vim /etc/fail2ban/jail.local

[sshd]
enabled=true

then when you:

# systemctl start fail2an.service

You should see the firewall table f2b-sshd (or fail2ban-sshd under Ubuntu) be created and linked to INPUT. Puppet will move this around a little, but it'll never put the fail2ban below the accept lines on this table (Because it considered any uncontrolled lines to have a number of 9000, so any new ACCEPT entries to INPUT table must have a number > 9000 )

Don't forget to:

# systemctl enable fail2ban.service