CentOS 7 – Installing Fail2ban

centosfail2banopensshsshsshd

I am using @GarethTheRed 's answer to this question to install fail2ban on a remote CentOS 7 server. I am able to complete all the steps up until tail -f /var/log/fail2ban.log, at which point I get different results than he gets in his answer.

Here are the results I am getting at this step: 

[root@remotecentosserver.com ~]# tail -f /var/log/fail2ban.log
2014-12-02 16:55:53,548 fail2ban.server.server[6667]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
2014-12-02 16:55:53,550 fail2ban.server.database[6667]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2014-12-02 16:55:54,239 fail2ban.server.database[6667]: WARNING New database created. Version '2'

After the last line, I just get a cursor but no command prompt unless I type Ctrl-C.

When I type systemctl status fail2ban, it tells me that fail2ban is active. When I log out of the system and log back in later, sshd tells me that there have been many failed attempts to login since my last login. So there should be fail2ban logs. But I cannot seem to find them.

Can someone show me how to get this set up so that fail2ban generates logs that I can track?

Best Answer

Try installing fail2ban from EPEL. It's packaged for CentOS 7 and you'll get updates as they are released. Installing the rpm form another repo may work (it did in this case) but is not the best way of doing things.

First of all, install the EPEL repository by issuing the following (as root):

yum install epel-release

The above should install EPEL and give you access to many new packages. One of those packages is fail2ban, therefore install it by running:

yum install fail2ban

By default there are no jails configured, therefore to configure a basic sshd jail:

Create/edit the file /etc/fail2ban/jail.local and add:

[sshd]
enabled = true

Start it with:

systemctl start fail2ban

Make it start at boot time:

systemctl enable fail2ban

There used to be a known bug where SELinux would block fail2ban from accessing the log files it needed to do its job. This seems to be fixed in the most recent version of CentOS 7; you shouldn't need to make the changes below.

If you do have this issue, symptoms are nothing appearing in the logs and nothing appearing as failed or blocked in the output of fail2ban-client status sshd.

To check for SELinux error, read the journals with:

journalctl -lfu fail2ban

Watch them for messages such as:

SELinux is preventing /usr/bin/python2.7 from getattr access on the file .
       *****  Plugin catchall (100. confidence) suggests   **************************
       If you believe that python2.7 should be allowed getattr access on the  file by default.
       Then you should report this as a bug.
       You can generate a local policy module to allow this access.
       Do 
       allow this access for now by executing:
       # grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
       # semodule -i mypol.pp

Therefore do as suggested and run:

grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

Then, to be safe, restart fail2ban:

systemctl restart fail2ban

You may even have to repeat the process above until no more error messages appear in the log.

If your server is on the internet then monitor fail2ban-client status sshd. It will soon start to show failed and banned counts if you've caught all the SELinux issues.

Note that you will have to keep an eye on your SELinux policy updates. If a selinux-policy package update appears, it may overwrite the above and you may need to run the above commands again. You'll know if this is the case as fail2ban will stop working again!

Related Question