- Posted on
- • Software
Install and Configure fail2ban via Package Managers
- Author
-
-
- User
- Linux Bash
- Posts by this author
- Posts by this author
-
Securing a web server, SSH server, and other common access points with Fail2Ban involves configuring jails to monitor log files for suspicious activity and banning offending IPs. Here's a comprehensive guide to setting this up:
1. General Installation and Setup
Ensure Fail2Ban is installed on your system:
- Ubuntu
sudo apt install fail2ban
- RHEL (AlmaLinux, CloudLinux, etc), also applicable to Fedora and CentOS:
sudo dnf install fail2ban
- openSUSE
sudo zypper install fail2ban
Configuration Best Practices:
Always use the
jail.local
file for custom configurations to prevent overwrites during updates.Configure jails for each service based on your needs.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
2. Securing SSH Server
Configure the SSH Jail
Fail2Ban includes a pre-configured jail for SSH. Edit /etc/fail2ban/jail.local
to enable it:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
Additional Tips:
Use non-standard SSH ports to reduce brute force attempts.
Ensure strong passwords or use SSH key-based authentication.
3. Securing the Web Server
Protect Against Authentication Failures
For Apache or Nginx, Fail2Ban can monitor failed login attempts or unauthorized access in the logs:
Apache
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 3600
Nginx
[nginx-auth]
enabled = true
port = http,https
filter = nginx-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
Protect Against Bots and Scanners
For common bad bots or malicious behavior:
Apache
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 86400
Nginx
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400
Protect Against Excessive 404 Errors
Excessive 404 errors may indicate scanning attempts for vulnerabilities:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/access.log
maxretry = 5
4. Securing FTP Server
Monitor failed login attempts on FTP servers (like VSFTPD, ProFTPD, or Pure-FTPd):
Example for VSFTPD
[vsftpd]
enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 3600
5. Securing Mail Server
Protect mail servers (Postfix, Dovecot) from spammers and unauthorized access:
Example for Postfix
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600
Example for Dovecot
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600
6. Securing Other Access Points
Fail2Ban can secure any service with log files. Examples:
MySQL
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 5
bantime = 3600
OpenVPN
[openvpn]
enabled = true
port = openvpn
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
bantime = 3600
7. Monitor and Maintain Fail2Ban
Check Fail2Ban Status
View the status of all active jails:
sudo fail2ban-client status
Check the status of a specific jail:
sudo fail2ban-client status sshd
Unban an IP
If an IP is mistakenly banned:
sudo fail2ban-client unban IP_ADDRESS
Test Filters
Use fail2ban-regex
to test if log entries match your filters:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
8. Fine-Tune Fail2Ban
Adjust Ban Duration: Set
bantime
to permanently ban repeat offenders or usebantime.increment
.Whitelist Trusted IPs: Add trusted IPs to
/etc/fail2ban/jail.local
under the[DEFAULT]
section:ignoreip = 127.0.0.1/8 192.168.1.0/24
Logging: Check
/var/log/fail2ban.log
for insights and troubleshoot issues.
By setting up Fail2Ban across your server's critical access points, you significantly enhance your system's security against brute force and malicious attacks.
Further Reading
For further reading on the topics discussed in the guide on installing and configuring Fail2Ban, consider the following resources:
Fail2Ban Official Documentation: Provides comprehensive details on installation, configuration, and usage of Fail2Ban. Fail2Ban Documentation
Advanced SSH Security Tips: Explore more tips on securing SSH servers, including Fail2Ban configurations. DigitalOcean - How To Protect SSH
Securing Apache Servers: This guide offers additional insights into securing Apache with Fail2Ban. How To Protect Apache with Fail2Ban
Nginx Security Practices: Learn more about hardening your Nginx server against brute-force attacks. Nginx Blog - Securing Nginx
Comprehensive Linux Server Security: Further explore securing Linux servers beyond Fail2Ban. TechRepublic - Linux Server Security