Is your Fedora Server truly secure?
You’ve just finished setting up a Fedora Server, deployed Nginx, and feel like everything is ready. But try typing the command lastb. You’ll be shocked to see thousands of failed login attempts from strange IPs in Russia, China, or Brazil after just one night.
In reality, a server with a public IP typically endures 2,000 to 5,000 “lock-picking” attempts per day. Strong passwords might help you hold out, but the system straining to process tens of thousands of these fake requests will waste CPU resources and bandwidth.
Why do botnets visit you constantly?
No hacker sits there typing every password. These are botnets programmed to scan entire IP ranges across the Internet. When they find port 22 (SSH) open, they automatically perform brute-force attacks. They try common usernames like admin or root combined with millions of dictionary passwords.
The biggest vulnerability is SSH—a service that must remain open for remote management. If you let bots scan freely, it’s only a matter of time before your “key” is found. Worse, the server could crash completely due to system log overflow.
Manual defense tips (and their limitations)
System admins often share a few quick “firefighting” methods:
- Change the SSH port: Changing port 22 to 2222. This filters out “amateur” bots. However, a simple Nmap script takes only seconds to find your new SSH port.
- Use SSH Keys: This is the most secure method. However, it’s quite inconvenient if you need urgent access from a new device without your private key.
- Block IPs with a Firewall: If you see a bad IP, use
firewalldto block it. But you can’t monitor logs 24/7 to manually type commands to block thousands of IPs.
Fail2ban – The Automatic Gatekeeper on Fedora
The most practical solution is Fail2ban. This tool works like a nightclub bouncer: it monitors system logs and counts failed password attempts. If an IP exceeds the limit, Fail2ban instructs the firewall to “ban” that IP immediately for a set period.
On Fedora, Fail2ban works exceptionally well with firewalld and systemd-journald. This is the perfect security trio for your server.
Step 1: Install Fail2ban
Fail2ban is available in the official Fedora repositories. Simply open your terminal and run:
sudo dnf install fail2ban fail2ban-firewalld -yThe fail2ban-firewalld package is crucial. It helps Fail2ban communicate directly with Fedora’s default firewall without complex configuration.
Step 2: Set up “jail” rules for bad actors
Never edit the /etc/fail2ban/jail.conf file directly, as it will be overwritten during software updates. Create a copy to customize instead:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localOpen the jail.local file and find the [DEFAULT] section to adjust the following parameters:
bantime = 1h: The “jail” duration (set to 1h or increase to 24h if you want to be stricter).findtime = 10m: The time window for counting errors.maxretry = 5: Blocked after more than 5 failed attempts.
Specifically, configure SSH in the [sshd] section:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = systemdNote: Fedora uses systemd’s binary log format. The backend = systemd line is mandatory for Fail2ban to read the data.
Step 3: Activate the system
After saving the file, start the service and set it to run automatically on boot:
sudo systemctl enable --now fail2banCheck the operational status with the command:
sudo fail2ban-client statusIf you see Jail list: sshd appear, it means the “net” has been cast.
Step 4: Check the “blacklist”
After a few hours, you’ll see the results. Run this command to see how many IPs are currently “imprisoned”:
sudo fail2ban-client status sshdIf you accidentally lock yourself out due to a typo, use your VPS provider’s console and type:
sudo fail2ban-client set sshd unbanip [YOUR_IP]Real-world experience for running Fail2ban smoothly
Over my time managing Fedora, I’ve gathered 3 small tips:
- Whitelist personal IPs: Add your home or office IP to the
ignoreipline injail.local. This ensures you never get “kicked out” unfairly.ignoreip = 127.0.0.1/8 ::1 1.2.3.4 (Your IP) - Control Firewalld: Fail2ban is only an application-layer protection. Ensure your
firewalldonly opens essential ports like 80, 443, and SSH. - Monitor logs in real-time: Want to see which IPs Fail2ban is “handling” in real-time? Use the command:
sudo tail -f /var/log/fail2ban.log
Server security is a continuous improvement process. With Fail2ban, you’ve built a solid automated defense layer. You’ll spend less time worrying about cheap password-guessing attacks and more time focusing on application development.
