Contents:
Improving your server security should be one of your top priorities, when it comes to managing a linux server. By reviewing your server logs, you may often find different attempts for brute force login, web floods, exploit seeking and many others.
With an intrusion prevention software such as fail2ban you can examine your server logs and add extra iptables rules to block problematic IP addresses.
This tutorial will show you how to install fail2ban and setup basic configuration to protect your Linux system from brute-force attacks.
Fail2ban is written in python and the only requirement is to have python installed:
First update your packages, enable the Epel repository and install fail2ban as shown.
# yum update # yum install epel-release # yum install fail2ban
First update your packages and install fail2ban as shown.
# apt-get update && apt-get upgrade -y # apt-get install fail2ban
Optionally, If you wish to enable mail support (for mail notifications), you can install sendmail.
# yum install sendmail [On CentOS/RHEL] # apt-get install sendmail-bin sendmail [On Debian/Ubuntu]
To enable fail2ban and sendmail use the following commands:
# systemctl start fail2ban # systemctl enable fail2ban # systemctl start sendmail # systemctl enable sendmail
By default, fail2ban uses the .conf
files located in /etc/fail2ban/ which are read first. However those can be overridden by .local
files located in the same directory.
Thus, the .local
file does not need to include all settings from the .conf
file, but only the ones you wish to override. Changes should be made in the .local
files not in the .conf
. This will prevent overwriting changes, when upgrading the fail2ban packet.
For the purpose of this tutorial, we will copy the existing fail2ban.conf file to fail2ban.local.
# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Now you can make the changes in the .local
file by using your favorite text editor. The values you can edit are:
One of the most important files in fail2ban is jail.conf
which defines your jails. This is where you define the services for which fail2ban should be enabled.
As we mentioned earlier .conf
files can be altered during upgrades, thus you should create a jail.local file where you can apply your modifications.
Another way to do this is to simply copy the .conf file with:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
In case you are using CentOS or Fedora, you will need to change the backend in jail.local from “auto” to “systemd”.
If you are using Ubuntu/Debian, there is no need to make this modification, even though they too use systemd.
The jail file, will enable SSH by default for Debian and Ubuntu, but not on CentOS. If you wish to enable it, simply change the following line in /etc/fail2ban/jail.local:
[sshd] enabled = true
You can configure the circumstance after which an IP address is blocked. For that purpose, fail2ban use bantime, findtime and maxretry.
Of course, you will want to whitelist certain IP addresses. To configure such IP addresses open /etc/fail2ban/jail.local with your favorite text editor and uncomment the following line:
ignoreip = 127.0.0.1/8 ::1
Then, you can put the IP addresses that you want to be ignored. IP addresses should be separated with space or comma.
If you wish to receive mail alerts upon event, you will have to configure the following settings in /etc/fail2ban/jail.local:
The default mta (mail transfer agent) is set to sendmail.
In order to receive mail notificatoin, you will also need to change the “action” setting from:
Action = %(action_)s
To one of these:
action = %(action_mw)s action = %(action_mwl)s
So far we have looked at the basic configuration options. If you wish to configure a jail you will need to enable it in the jail.local file. The syntax is pretty simple:
[jail_to_enable] . . . enabled = true
Where you should replace jail_to_enable with the actual jail, for example “sshd”. In the jail.local file, the following values will be predefined for ssh service:
[sshd] port = ssh logpath = %(sshd_log)s
You can enable filter which will help identify if a line in the log is a failed one. The filter value is actually a reference to a file with the service name followed by .conf. For example: /etc/fail2ban/filter.d/sshd.conf.
The syntax is:
filter = service
For example:
filter = sshd
You can review the existing filters in the following directory: /etc/fail2ban/filter.d/.
Fail2ban comes with a client that can be used for reviewing and changing current configuration. Since it provides many options, you can go through its manual with:
# man fail2ban-client
Here you will see some of the basic commands you can use. To review the current status of fail2ban or for specific jail, you can use:
# fail2ban-client status
The result will look similar to this:
For individual jail, you can run:
# fail2ban-client status sshd
In the screenshot below, you will see that I have purposely failed multiple logins so fail2ban can block the IP address from which I was trying to connect:
Fail2ban is an excellent, well documented intrusion prevention system, that provides extra security to your Linux system. It requires some time to get used to its setup and syntax, but once you you familiarize with it, you will feel free to change and extend its rules.
An alternative for the nmcli is the nmtui, short for Network Manager Text User Interface,…
MariaDB is an enhanced, drop-in replacement for MySQL. MariaDB can be a better choice for…
MariaDB is an enhanced, drop-in replacement for MySQL. MariaDB can be a better choice for…
Rclone is a command line program written in Go language, used to sync files and…
By default, authentication is disabled in MongoDB, but this is not so critical as, out…
What is Pip? pip is a tool for installing and managing Python packages. With pip…
Leave a Comment