Installing Fail2ban on CentOS

Here’s a short tutorial for those of you looking to install Fail2ban on an existing CentOS server or VPS.

First of all, you will have to determine which CentOS version you have, with the following command after starting an SSH session using a terminal window:

cat /etc/centos-release

The response will probably be something like this:

CentOS release 6.8 (Final)

Now that we know the CentOS version is 6, we will have to get the latest EPEL yum repository, using the following command:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Next step is to install Fail2ban with the following command:

yum install fail2ban

When prompted Is this ok [y/N]: please type y and then hit enter.

This may take a few minutes, so sit back and relax waiting for the installation to finish.

The reasons you might want to protect your server or VPS using Fail2ban is because you are experiencing too many false logins attempts for WordPress, Proftpd, Exim2 or sshd4/sshd5 for example. To do so you will have to create the following local configuration file, using an editor such as nano:

nano /etc/fail2ban/jail.local

(Don’t have Nano? You can install Nano with the following command: yum install nano.)

Here is how to set-up an sshd jail to catch failed login attempts to SSH:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
findtime = 3600
bantime = 86400

Here is how to set-up an exim jail to catch failed login attempts to Exim:

[exim]
enabled = true
port = smtp,465,submission
filter = exim
logpath = /var/log/exim/mainlog
maxretry = 3
findtime = 86400
bantime = 31536000

Now that we have created these jails, and saved our configuration file (ctrl+x) we have to restart our server or VPS with the following command:

service fail2ban start

If everything went as expected you should get the following response:

Starting fail2ban: [ OK ]

Using Fail2ban to block login attempts to WordPress

If additionally you also would like to protect your server or VPS from failed login attempts to WordPress, you should first create a filter.

Your filters are located here: /etc/fail2ban/filter.d/

Create a new filter named wordpress.conf using Nano as follows: nano /etc/fail2ban/filter.d/wordpress.conf

Copy and paste the following code into the newly created wordpress.conf filter file:

# Fail2Ban filter for wordpress
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = wordpress

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$

ignoreregex =

# Author: John Doe

Now that you have created the wordpress.conf filter, you will need to add a new rule to your jail.local file which you have previously created:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/secure
maxretry = 3
findtime = 86400
bantime = 31536000
action = iptables-multiport[name=wordpress,port="80,443"]

Finally, you will have to restart Fail2ban using the following command: service fail2ban restart

If everything went well, this is what the response should look like:

Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]

Congratulations, your server or VPS is now protected against scum trying to make your life miserable!