Step-by-Step Guide: Using Fail2ban to Secure Your Linux Server

In order to read the latest tutorial about Failban, you may know more by this article and learning How to use Fail2ban to secure Linux Server. As a Linux administrator improving your server security should be one of your top priorities to manage better it. Importantly when you find different attempts for brute force login, web floods, exploit seeking, and many others, while reviewing your server logs.

With an intrusion prevention software such as fail2ban, you can examine your server logs and add extra iptables rules to block problematic IP addresses

Table of Contents

Requirements

Since the Fail2ban is written in python, the only requirement is to have python installed:

Fail2ban branch 0.9.x requires Python >=2.6 or Python >=3.2
Fail2ban branch 0.8.x requires Python >=2.4
Root access to your system
Optionally, iptables or showewall and sendmail

Recommended Article: How to Install Swift on Ubuntu 20.04

How to use Fail2ban to secure Linux Server

Join us with this tutorial to let us show you how to install fail2ban and setup basic configuration to protect your Linux system from brute-force attacks. Installation of fail2ban is relatively easy.

How to Install Fail2Ban in Linux Systems

We can ensure you that the installation of fail2ban is relatively easy.

Install Fail2Ban on CentOS/RHEL

As usual, firstly you will update your packages, enable the Epel repository, and install fail2ban.

yum update  yum install epel-release  yum install fail2ban

Install Fail2Ban on Debian/Ubuntu

To install fail2ban, update your packages.

apt-get update && apt-get upgrade -y  apt-get install fail2ban

You can install a Sendmail if you prefer to receive notifications.

yum install sendmail                   [On CentOS/RHEL]  apt-get install sendmail-bin sendmail  [On Debian/Ubuntu]

Then, to enable fail2ban and sendmail use the following commands:

systemctl start fail2ban  systemctl enable fail2ban  systemctl start sendmail  systemctl enable sendmail

buy vps with bitcoin

How to Configure Fail2ban in Linux Systems

By default, fail2ban uses the .conf files located in /etc/fail2ban/ which are read first. However, those can be overridden by .local files located in the same directory.

Note: files, not in the .conf. This will prevent overwriting changes when upgrading the fail2ban packet.

Important: To reach the purpose of this tutorial, you must copy the existing fail2ban.conf file to fail2ban.local.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Next, it is time to make the changes in the .local file by using your favorite text editor. The values you can edit are:

loglevel – this is the level of detail to be logged. Possible options are:
- CRITICAL
- ERROR
- WARNING
- NOTICE
- INFO
- DEBUG
logtarget – log the actions in a specific file. The default value is /var/log/fail2ban.log. You can, however, change this to:
- STDOUT – output any data
- STDERR – output any errors
- SYSLOG – message-based logging
- File – output to a file
socket – directory in which socket file will be placed.
pidfile – location of the pidfile.

Configure Fail2ban jail.local

jail.conf is one of the most important files in fail2ban which defines your jails and this is where you define the services for which fail2ban should be enabled. Also .conf files can be altered during upgrades, thus you should create a jail.local file where you can apply your modifications.

either. you can copy the .conf file with the following command to do this is to simply.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Note 1: In case you are using CentOS or Fedora, you will need to change the backend in jail.local from “auto” to “systemd”

Note 2: If you are using Ubuntu/Debian, there is no need to make this modification, even though they too use systemd.

Since the jail file will enable SSH by default for Debian and Ubuntu, but not on CentOS, you need to simply change the following line in /etc/fail2ban/jail.local if you wish to enable it.

[sshd]  enabled = trueb

Ban and Retry Times

You can configure the circumstance after which an IP address is blocked. For that purpose, fail2ban uses bantime, findtime, and maxretry. Let’s review more about this point below:

bantime – this is the number of seconds that an IP address will remain banned (default 10 min).
findtime – the amount of time between login attempts, before the host is banned. (default 10 min). In other words, if fail2ban is set to block an IP address after 3 failed login attempts, those 3 attempts, must be done within the findtime period (10 mins).
maxretry – number of attempts to be made before a ban is applied. (default 3).

Whitelist IP Address

As usual, you will need to whitelist certain IP addresses. Open /etc/fail2ban/jail.local with your favorite text editor and uncomment the following line, to configure such IP addresses.

ignoreip = 127.0.0.1/8  ::1

Next, put the IP addresses that you want to be ignored. IP addresses should be separated from space or comma.

Email Alerts

In case you need to receive mail alerts upon the event, you will have to configure the following settings in /etc/fail2ban/jail.local:

destemail – mail address, where you will receive the notification.
Sendername – the sender that you will see when receiving the message.
sender – email address from which fail2ban will send the emails.

The default mta (mail transfer agent) is set to sendmail. And change the “action” setting from the command below, if you need to receive mail notifications.

Action = %(action_)s

To one of these:

action = %(action_mw)s  action = %(action_mwl)s

%(action_mw)s – will ban the host and send a mail with a whois report.
%(action_mwl)s – will ban the host, provide whois info, and all relevant information from the log file.

Additional Fail2ban Jail Configuration

So far we have looked at the basic configuration options. But if you need to configure a jail you will need to enable it in the jail.local file.

[jail_to_enable]  . . .  enabled = true

Have a look at this explanation to get involved better. Where you should replace jail_to_enable with the actual jail, for example, “sshd”. In jail.local file, the following values will be predefined for ssh service:

[sshd]    port = ssh  logpath = %(sshd_log)s

Here, you can also enable filter which will help identify if a line in the log is a failed one. The filter value is actually a reference to a file with the service name followed by .conf. For example: /etc/fail2ban/filter.d/sshd.conf.

filter = service

And as an example:

filter = sshd

Then, if you need to review the existing filters, go to the following directory: /etc/fail2ban/filter.d/.

Use fail2ban-client

Fail2ban comes with a client that can be used for reviewing and changing the current configuration. You can go through its manual with the following command because it provides many options.

man fail2ban-client

Let us show you some of the basic commands you can use. To review the current status of fail2ban or for specific jail, you can use:

fail2ban-client status

For individual jail:

fail2ban-client status sshd

Recommended Article: How to use Fail2ban to secure Linux Server

Good job! You succeed to finish this tutorial and learn Fail2ban is a well-documented intrusion prevention system, that provides extra security to your Linux system is the Fail2ban. Although it requires some time to get used to its setup and syntax, once you familiarize yourself with it, but you will feel free to change and extend its rules.

Dear user, we wish this tutorial How to use Fail2ban to secure Linux Server would be helpful for you, to ask any question or review the conversation of our users about this article, please visit Ask page. Also to improve your knowledge, there are so many useful tutorials ready for Eldernode training.