Blogs

How to Protect Linux Server with fail2ban

by Ayushi Chauhan
FacebookTwitterLinkedinWhatsapp

This tip is about the how to Protect Linux Server with fail2ban. So read this free guide, How to Protect Linux Server with fail2ban step by step. If you have query related to same article you may contact us.

How to Protect Linux Server with fail2ban – Guide

When it comes to maintaining a linux server, improving server security should be one of your main goals. You can often notice different brute force login attempts, web flooding, exploit search and many other things by analyzing server logs. You can check your server logs and set extra iptables rules to block problematic IP addresses using intrusion protection software like fail2ban. This article will guide you through installing fail2ban and configuring it to defend your Linux system from brute force attacks.

How to Install Fail2Ban on Linux systems

How to Install Fail2Ban on Linux systems

Installing fail2ban is relatively easy:

Install Fail2Ban on CentOS/RHEL

First, update your packages, enable the Epel repository and install fail2ban as shown.

# yum update # yum install epel-release # yum install fail2ban

Install Fail2Ban on Debian/Ubuntu

First, update your packages and install fail2ban as shown.

# apt-get update && apt-get upgrade -y # apt-get install fail2ban

Optionally, if you want to enable email support (for email notifications), you can install sendmail.

# yum install sendmail [On CentOS/RHEL]
# apt-get install sendmail-bin sendmail [On Debian/Ubuntu]

To enable fail2ban and sendmail use the following commands:

# systemctl start fail2ban # systemctl enable fail2ban # systemctl start sendmail # systemctl enable sendmail

How to Configure Fail2ban on Linux systems

By default, fail2ban uses the .conf files located in /etc/fail2ban/ which are read first. However, they can be replaced by .local files located in the same directory.

So the .local file doesn’t have to include all the settings in the .conf file, just the ones you want to override. Changes must be made to .local files, not .conf. This will avoid overwriting changes when updating the fail2ban package.

For the purposes of this tutorial we will copy the existing fail2ban.conf file to fail2ban.local.

# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

You can now make changes to the .local file using your favorite text editor. The values ​​you can edit are:

  • loglevel – this is the level of detail to log. Possible options are:
  • CRITICAL
  • MISTAKE
  • WARNING
  • TO PERCEIVE
  • INFORMATION
  • DEBUG
  • logtarget – log actions to a specific file. The default value is /var/log/fail2ban.log. However, you can change this to:
  • STDOUT – output of any data
  • STDERR – output any errors
  • SYSLOG – message-based logging
  • File – output to a file
  • socket – directory in which the socket file will be placed.
  • pidfile – location of the pidfile.

    • Configure Fail2ban jail.local

    One of the most important files in fail2ban is the jail.conf which defines your jails. This is where you define the services for which fail2ban should be enabled.

    As we mentioned earlier, .conf files can change during updates, so you should create a jail.local file where you can apply your changes.

    Another way to do this is to simply copy the .conf file with:

    # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    If you are using CentOS or Fedora, you will need to change the backend in jail.local from “auto” to “systemd”.

    Enable backend in Fail2ban

    If you are using Ubuntu/Debian there is no need to make this modification even if they also use systemd.

    The jail file will enable SSH by default for Debian and Ubuntu, but not CentOS. If you want to enable it, just change the following line in /etc/fail2ban/jail.local:

    [sshd]

    enabled = true Ban and retry times

    You can configure the circumstance after which an IP address is blocked. For this, fail2ban uses bantime, findtime and maxretry.

  • bantime – this is the number of seconds an IP address will remain banned (default 10 min).
  • findtime – the amount of time between login attempts, before the host is banned. (default 10 min). In other words, if fail2ban is configured to block an IP address after 3 failed login attempts, those 3 attempts must be made within the findtime period (10 minutes).
  • maxretry – number of attempts to make before a ban is applied. (default 3).

    • Whitelist IP address

    Of course, you will want to whitelist certain IP addresses. To configure these IP addresses open /etc/fail2ban/jail.local with your favorite text editor and uncomment the following line:

    ignoreip = 127.0.0.1/8 ::1

    Then you can put the IP addresses that you want to be ignored. IP addresses must be separated by a space or comma.

    Email Alerts

    If you want to receive email alerts about the event, you will have to configure the following settings in /etc/fail2ban/jail.local:

  • thismail – email address, where you will receive the notification.
  • Sendername – the sender you will see when you receive the message.
  • sender – email address from which fail2ban will send emails.

    • The default mta (mail transfer agent) is set to sendmail.

    To receive email notifications, you will also need to change the “Action” setting from:

    Action = %(action_)s

    to one of these:

    action = %(action_mw)s action = %(action_mwl)s

  • %(action_mw)s – will ban the host and send an email with a whois report.
  • %(action_mwl)s – will banish the host, give whois information and all relevant information from the log file.

    • Additional Fail2ban Prison Setup

    So far we’ve seen the basic configuration options. If you want to configure a jail, you will need to enable it in the jail.local file. The syntax is very simple:

    [jail_to_enable]

    . . . enabled = true

    Where you should replace jail_to_enable with the real jail, eg “sshd”. In the jail.local file, the following values ​​will be predefined for the ssh service:

    [sshd]

    port = ssh log path = %(sshd_log)s

    You can enable the filter which will help to identify if a line in the log has failed. The filter value is actually a reference to a file with the name of the service followed by .conf. For example: /etc/fail2ban/filter.d/sshd.conf.

    The syntax is:

    filter = service

    For example:

    filter = sshd

    You can review existing filters in the following directory: /etc/fail2ban/filter.d/.

    Use fail2ban-client

    Fail2ban comes with a client that can be used to review and change the current configuration. As it offers many options, you can refer to its manual with:

    # man fail2ban-client

    Here you will see some of the basic commands you can use. To review the current fail2ban status or for a specific arrest you can use:

    # fail2ban client status

    The result will be similar to this:

    Check Fail2ban status

    For individual arrest, you can run:

    # fail2ban-status of sshd client

    Final note

    I hope you like the guide How to Protect Linux Server with fail2ban. In case if you have any query regards this article you may ask us. Also, please share your love by sharing this article with your friends.

    Was this article helpful?
    Yes0No0
    You Might Be Interested In

    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More