For webmasters or anyone managing a Linux server that is accessible over the Internet, the risk of the server being compromised is high, so implementing best security practices to help mitigate these attacks should be a priority. There are many tools to help protect Linux servers. One such tool is known as Fail2ban. Fail2ban is a tool that helps protect Linux servers from brute force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan the server’s logs for malicious attempts and bans offending IPs for a specific length of time using the system’s firewall. Banned IPs are only removed from the list when there are no new attempts and only after the period is banned. Then the offending IPs should be able to connect again. To get started with installing and configuring Fail2ban, follow the steps below:
Install Fail2ban
Fail2ban packages are automatically included in Ubuntu repositories. To install it, simply run the commands below. Once the installation is complete, the service should automatically start up and be ready to be configured. To check if the service is up and operational, run the commands below: You should see similar lines below:
Configure Fail2ban
When you install Fail2ban, it is installed with these two default configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. To configure Fail2ban, you should not make your changes directly to the configuration files above as they may be overwritten when the packages are updated. Fail2ban service reads the configuration files in the following order.
/etc/fail2ban/jail.conf /etc/fail2ban/jail.d/.conf /etc/fail2ban/jail.local /etc/fail2ban/jail.d/.local
Configuration files that end in .local override files that end with .conf. So make your changes in the .local file as much as possible. Most users out there should simply copy the jail.conf to create a jail.local file, then modify the .local file to implement their changes. You may not need all the settings copied over from the jail.conf file, only changes you want to overwrite in the jail.conf file. Advanced users can simply create each jail. local file and begin editing changes they want to implement. For simplicity’s sake, we’re going to copy the jail.conf file to create the jail.local file. To do that run the commands below: Then start editing the configuration file just created by running the commands below: Your very first setting should be whitelisting known IP addresses. These are addresses that you may be connecting from and don’t want to get banned. Edit the line to ignore these IPs: More settings to control how threats are restricted can be configured with these options: bantime, findtime and maxretry. The default bantime value is 10 mins. If you want to change how long an IP should be banned, change the value in seconds. Findtime is the duration between the number of failures before a ban is set. The default value is 5 times. To change that number, set the value for the line below: Maxretry is the number of failures before an IP is banned. The default is 5. To change that number, modify the line below:
Jails Services
Fail2ban uses the concept of Jails. A service is jailed when a predefined condition is met after analyzing the service logs for matching patterns. When the condition is met, the corresponding actions defined in the configuration file are executed. By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met. For example, here’s SSH configuration with the settings discussed above to limit threats and ban bad actors who want to brute force your SSH server. You can replicate other services in the list and add more that you want to protect. When you’re done adding your configuration settings, run the commands below to restart the Fail2ban service. Fail2ban also comes with a client tool that can be used to interact with the service. Using its client tool, you can check the Fail2ban jail status for a particular service. For example, to check for SSH jail status, run the commands below: To unbind a particular IP address, run the commands below: To manually ban an IP address, run the commands below: That should do it! Conclusion: This post showed you how to install, configure and use Fail2ban to protect Linux servers that are accessible from the Internet. If you find any error above, please use the form below to report.