Posted on
Software

Install and Configure fail2ban via Package Managers

Author
  • User
    Linux Bash
    Posts by this author
    Posts by this author

Securing a web server, SSH server, and other common access points with Fail2Ban involves configuring jails to monitor log files for suspicious activity and banning offending IPs. Here's a comprehensive guide to setting this up:


1. General Installation and Setup

Ensure Fail2Ban is installed on your system:

  1. Ubuntu
 sudo apt install fail2ban
  1. RHEL (AlmaLinux, CloudLinux, etc), also applicable to Fedora and CentOS:
sudo dnf install fail2ban
  1. openSUSE
sudo zypper install fail2ban

Configuration Best Practices:

  • Always use the jail.local file for custom configurations to prevent overwrites during updates.

  • Configure jails for each service based on your needs.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

2. Securing SSH Server

Configure the SSH Jail

Fail2Ban includes a pre-configured jail for SSH. Edit /etc/fail2ban/jail.local to enable it:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

Additional Tips:

  • Use non-standard SSH ports to reduce brute force attempts.

  • Ensure strong passwords or use SSH key-based authentication.


3. Securing the Web Server

Protect Against Authentication Failures

For Apache or Nginx, Fail2Ban can monitor failed login attempts or unauthorized access in the logs:

Apache

[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 3600

Nginx

[nginx-auth]
enabled = true
port = http,https
filter = nginx-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600

Protect Against Bots and Scanners

For common bad bots or malicious behavior:

Apache

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 86400

Nginx

[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400

Protect Against Excessive 404 Errors

Excessive 404 errors may indicate scanning attempts for vulnerabilities:

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/access.log
maxretry = 5

4. Securing FTP Server

Monitor failed login attempts on FTP servers (like VSFTPD, ProFTPD, or Pure-FTPd):

Example for VSFTPD

[vsftpd]
enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 3600

5. Securing Mail Server

Protect mail servers (Postfix, Dovecot) from spammers and unauthorized access:

Example for Postfix

[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600

Example for Dovecot

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600

6. Securing Other Access Points

Fail2Ban can secure any service with log files. Examples:

MySQL

[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 5
bantime = 3600

OpenVPN

[openvpn]
enabled = true
port = openvpn
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
bantime = 3600

7. Monitor and Maintain Fail2Ban

Check Fail2Ban Status

View the status of all active jails:

sudo fail2ban-client status

Check the status of a specific jail:

sudo fail2ban-client status sshd

Unban an IP

If an IP is mistakenly banned:

sudo fail2ban-client unban IP_ADDRESS

Test Filters

Use fail2ban-regex to test if log entries match your filters:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

8. Fine-Tune Fail2Ban

  • Adjust Ban Duration: Set bantime to permanently ban repeat offenders or use bantime.increment.

  • Whitelist Trusted IPs: Add trusted IPs to /etc/fail2ban/jail.local under the [DEFAULT] section:

    ignoreip = 127.0.0.1/8 192.168.1.0/24
    
  • Logging: Check /var/log/fail2ban.log for insights and troubleshoot issues.

By setting up Fail2Ban across your server's critical access points, you significantly enhance your system's security against brute force and malicious attacks.

Further Reading

For further reading on the topics discussed in the guide on installing and configuring Fail2Ban, consider the following resources:

  1. Fail2Ban Official Documentation: Provides comprehensive details on installation, configuration, and usage of Fail2Ban. Fail2Ban Documentation

  2. Advanced SSH Security Tips: Explore more tips on securing SSH servers, including Fail2Ban configurations. DigitalOcean - How To Protect SSH

  3. Securing Apache Servers: This guide offers additional insights into securing Apache with Fail2Ban. How To Protect Apache with Fail2Ban

  4. Nginx Security Practices: Learn more about hardening your Nginx server against brute-force attacks. Nginx Blog - Securing Nginx

  5. Comprehensive Linux Server Security: Further explore securing Linux servers beyond Fail2Ban. TechRepublic - Linux Server Security