Fail2ban is one of the first pieces of software I install on Linux servers. This service will help prevent unwanted logins by banning nefarious IP addresses from gaining access to your server. Unlike installing fail2ban on Ubuntu Servers, you have to take an extra step with RHEL-based servers. I’m going to walk you through that very thing, demonstrating the process that will help you get fail2ban installed on either Rocky Linux or AlmaLinux.
The process will install both fail2ban and the necessary firewalld package to allow the service to run on the systems.
What you’ll need
The only things you need to make this work are:
- A running instance of either Rocky Linux or AlmaLinux
- A user with sudo privileges
That’s it. Let’s get to work.
SEE: Security incident response policy (TechRepublic Premium)
How to enable firewalld
Out of the box, firewalld might not be running. To fix that, open a terminal window on your server and issue the command:
sudo systemctl start firewalld
Next, enable the firewall service to run at boot with:
sudo systemctl enable firewalld
How to install fail2ban
We can now install both fail2ban and the firewalld package. Back at the terminal window, add the EPEL repository with the command:
sudo dnf install epel-release -y
Once that repository is added, install fail2ban and the firewalld component with:
sudo dnf install fail2ban fail2ban-firewalld -y
Start and enable fail2ban with the commands;
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
How to configure fail2ban
With fail2ban installed, it’s time to configure it. First, we need to create a copy of the default configuration file with the command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open that file for editing with the command:
sudo nano /etc/fail2ban/jail.local
In that file, look for the following options (in the [DEFAULT] section) and change them to reflect what you see below:
bantime = 1h
findtime = 1h
maxretry = 5
Save and close the file.
Next, we need to allow fail2ban to work with firewalld (instead of iptables) with the command:
sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
Restart fail2ban with:
sudo systemctl restart fail2ban
How to create an SSH jail
We’ll now create a jail configuration for the SSH server that will ban IP addresses for 1 day after 3 failed attempts at logging in. Create the new configuration with the command:
sudo nano /etc/fail2ban/jail.d/sshd.local
Paste the following into that new file:
enabled = true
bantime = 1d
maxretry = 3
Save and close the file. Restart fail2ban:
sudo systemctl restart fail2ban
At this point, fail2ban is now protecting from nefarious SSH connections. You can test it by attempting to log in with SSH using an incorrect password. After three attempts, you’ll be locked out for one day. If you do get locked out, you can unban your IP address with the command:
sudo fail2ban-client unban ADDRESS
Where ADDRESS is the banned IP address.
And that’s all there is to installing fail2ban on either Rocky Linux or AlmaLinux. Enjoy that heightened sense of security (just don’t rely on fail2ban for all your security needs).
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays