If an IP Address has too many failed connections, fail2ban blocks it automatically. It’s self-contained safety! We’ll show you how to do it. This is one of the most important things you can do for the safety of your Linux server. You can typically see a number of attempts at brute force login, web floods, exploit searching, and other types of attacks in your server logs.
Your server logs can be examined with an intrusion protection software like fail2ban, which allows you to set additional iptables rules for blocking IP addresses that are causing problems.
Requirements
Having python installed is all that is needed to use Fail2ban:
- Python >=2.6 or Python >=3.2 is required for Fail2ban branch 0.9.x.
- Python >=2.4 is required for Fail2ban branch 0.8.x
- Root access to your computer
- Sendmail and iptables are optional.
How To Install Fail2Ban On Your Linux System
Installing fail2ban is easy as running a few commands:
Install Fail2Ban on CentOS/RHEL
To begin, follow the on-screen instructions to install fail2ban, enable the Epel repository, and update your packages.
yum update yum install epel-release yum install fail2ban
Install Fail2Ban on Debian/Ubuntu
The first step is to install fail2ban by following the on-screen instructions.
apt-get update && apt-get upgrade -y apt-get install fail2ban
Sendmail can be installed if you want to enable mail support (for example, to receive notifications via email).
yum install sendmail [On CentOS/RHEL] apt-get install sendmail-bin sendmail [On Debian/Ubuntu]
Use the following commands to make fail2ban and sendmail work:
systemctl start fail2ban systemctl enable fail2ban systemctl start sendmailsystemctl enable sendmail
How to Configure Fail2ban in Linux Systems
By default, fail2ban reads the.conf files in /etc/fail2ban/ first. But .local files in the same directory can override them.
So, the .local file should only contain the parameters you want to override from the .conf file. Not in the .conf, but in the .local files. This prevents overwriting modifications while updating fail2ban.
We’ll copy the existing fail2ban.conf file to fail2ban.local.
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Using your favorite text editor you can edit the changes in .local file.
- loglevel – this is the level of detail to be logged. Possible options are:
- CRITICAL
- ERROR
- WARNING
- NOTICE
- INFO
- DEBUG
- logtarget – log the actions in a specific file. The default value is /var/log/fail2ban.log. You can, however, change this to:
- STDOUT – output any data
- STDERR – output any errors
- SYSLOG – message-based logging
- File – output to a file
- socket – directory in which socket file will be placed.
- pidfile – location of the pidfile.
Configuring Fail2ban jail.local
The jail.conf file, which specifies your jails, is a core component of fail2ban. This is where you specify which services should be enabled by fail2ban.
If you want to make changes to the conf files during upgrades, you should establish a jail.local file where you can do so
Alternatively, you may just duplicate the .conf file as follows:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Change backend in jail.local from “auto” to “systemd” if you are using CentOS or Fedora.
There is no need to make this change if your operating system is Ubuntu/Debian.
Instead of enabling SSH by default on Debian and Ubuntu, the jail file does so only when used with the jail command. Please update the following line in the jail.local file if you want to activate it:
[sshd] enabled = true
Retry and Ban Counts
In order to ban an IP address, you can customize the circumstances in which it is blocked. Fail2ban makes use of bantime, findtime, and maxretry to accomplish this.
- ignoreip – Whitelisting specific IP addresses is, of course, a must. This IP address is set up by uncommenting the following line in your preferred text editor: /etc/fail2ban/jail.local
- bantime – An IP address will be blocked for as long as the bantime value is specified (default 10 min).
- findtime – how long does it take for the host to be banned if you keep trying to log in It takes about 10 minutes to complete (by default). For example, if fail2ban is configured to block an IP address after three failed logins, those three attempts must be made inside the findtime period (10 mins).
- maxretry – limit on how many times an attempt can be made before being banned. (The default is 3).
Fail2Ban Jail Configuration
So far, we’ve covered the basics. To configure a jail, you must enable it in the jail.local file. The syntax is straightforward:
[jail_to_enable] . . . enabled = true
Replace jail_to_enable with actual jail, for example, “sshd”. In jail.local file, these values will be predefined for ssh service.
[sshd] port = ssh logpath = %(sshd_log)s
You can activate the filter to help identify unsuccessful lines in the log. The filter value refers to a file with the service name and .conf extension. /etc/fail2ban/filter.d/sshd.conf.
Syntax:
filter = service
For example:
filter = sshd
You can review the existing filters in the following directory: /etc/fail2ban/filter.d/.
Using And Enabling fail2ban-client
We’ve installed and configured fail2ban. Now we need to make it an auto-start service. Then we must test it to ensure it works properly.
We use systemctl to enable fail2ban as a service:
sudo systemctl enable fail2ban
We also use it to start the service:
sudo systemctl start fail2ban
We can check the status of the service using systemctl, too:
sudo systemctl status fail2ban.service
Here are some simple commands. To check the status of fail2ban or a specific jail, use:
fail2ban-client status
For individual jail, you can run:
fail2ban-client status sshd
