- Posted on
Securing a web server, SSH server, and other common access points with Fail2Ban involves configuring jails to monitor log files for suspicious activity and banning offending IPs. Here's a comprehensive guide to setting this up:
1. General Installation and Setup
Ensure Fail2Ban is installed on your system:
- Ubuntu
apt install fail2ban
- RHEL (AlmaLinux, CloudLinux, etc)
dnf install fail2ban
Configuration Best Practices:
Always use the
jail.localfile for custom configurations to prevent overwrites during updates.Configure jails for each service based on your needs.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
2. Securing SSH Server
Configure the SSH Jail
Fail2Ban includes a pre-configured jail for SSH. Edit /etc/fail2ban/jail.local to enable it:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
Additional Tips:
- Use non-standard SSH ports to reduce brute force attempts.
- Ensure strong passwords or use SSH key-based authentication.
3. Securing the Web Server
Protect Against Authentication Failures
For Apache or Nginx, Fail2Ban can monitor failed login attempts or unauthorized access in the logs:
Apache
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 3600
Nginx
[nginx-auth]
enabled = true
port = http,https
filter = nginx-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
Protect Against Bots and Scanners
For common bad bots or malicious behavior:
Apache
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 86400
Nginx
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400
Protect Against Excessive 404 Errors
Excessive 404 errors may indicate scanning attempts for vulnerabilities:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/access.log
maxretry = 5
4. Securing FTP Server
Monitor failed login attempts on FTP servers (like VSFTPD, ProFTPD, or Pure-FTPd):
Example for VSFTPD
[vsftpd]
enabled = true
port = ftp
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 3600
5. Securing Mail Server
Protect mail servers (Postfix, Dovecot) from spammers and unauthorized access:
Example for Postfix
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600
Example for Dovecot
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600
6. Securing Other Access Points
Fail2Ban can secure any service with log files. Examples:
MySQL
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 5
bantime = 3600
OpenVPN
[openvpn]
enabled = true
port = openvpn
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
bantime = 3600
7. Monitor and Maintain Fail2Ban
Check Fail2Ban Status
View the status of all active jails:
sudo fail2ban-client status
Check the status of a specific jail:
sudo fail2ban-client status sshd
Unban an IP
If an IP is mistakenly banned:
sudo fail2ban-client unban IP_ADDRESS
Test Filters
Use fail2ban-regex to test if log entries match your filters:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
8. Fine-Tune Fail2Ban
- Adjust Ban Duration: Set
bantimeto permanently ban repeat offenders or usebantime.increment. - Whitelist Trusted IPs: Add trusted IPs to
/etc/fail2ban/jail.localunder the[DEFAULT]section:ini ignoreip = 127.0.0.1/8 192.168.1.0/24 - Logging: Check
/var/log/fail2ban.logfor insights and troubleshoot issues.
By setting up Fail2Ban across your server's critical access points, you significantly enhance your system's security against brute force and malicious attacks.