How to protect Linux servers with fail2ban 2022 tip

This tutorial is about protecting Linux servers with fail2ban. We will do our best to make you understand this guide. I hope you enjoy this blog How to protect Linux servers with fail2ban. If your answer is yes, please share after reading.

Check how to protect Linux servers with fail2ban

When it comes to maintaining a Linux server, improving server security should be one of your main goals. You can often detect various brute force login attempts, web flooding, exploit hunting, and many other things by analyzing your server logs. You can check your server logs and set additional iptables rules to block problematic IP addresses using anti-intrusion software like fail2ban. This article will guide you through installing fail2ban and configuring it to protect your Linux system from brute force attacks.

How to install Fail2Ban on Linux systems

How to install Fail2Ban on Linux systems

installation of fail2ban it’s relatively simple:

Install Fail2Ban on CentOS/RHEL

First update your packages, activate them Epel repository and install fail2ban as shown.

# update yum # install yum epel-release # install yum fail2ban

Install Fail2Ban on Debian/Ubuntu

First update and install your packages fail2ban as shown.

# apt-get update && apt-get upgrade -y # apt-get install fail2ban

Optionally, you can install sendmail if you want to enable email support (for email notifications).

# install yum sendmail
# apt-get install sendmail-bin sendmail

Allow fail2ban Y send mail use the following commands:

# systemctl start fail2ban # systemctl enable fail2ban # systemctl start sendmail # systemctl enable sendmail

How to configure Fail2ban on Linux systems

Default, fail2ban uses the .conf files located in /etc/fail2ban/ which are read first. However, these can be overwritten by .local files located in the same directory.

Therefore, the .local file doesn’t need to contain all the settings from the .conf file, just the ones you want to override. Changes must be made to the .local files, not the .conf. This prevents changes from being overwritten when updating the fail2ban package.

For this tutorial we will copy the existing one fail2ban.conf file to fail2ban.local.

# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

You can now make the changes to the .local file using your favorite text editor. The values ​​you can edit are:

  • log level – This is the level of detail that will be recorded. The possible options are:
    • ERROR
    • DEBUG
  • log target – Recording of actions in a specific file. default is /var/log/fail2ban.log. However, you can change this to:
    • STDOUT: Output arbitrary data
    • STDERR – print errors
    • SYSLOG: Message-based logging
    • File: Output to a file
  • plug – Directory in which the socket file is stored.
  • pid file – PID file location.

Configure Fail2ban jail.local

One of the most important files in fail2ban is jail.conf, which defines your jails. Here you define the services for which fail2ban should be activated.

As mentioned, .conf files can be modified during upgrades, so you should create a .conf file prison.local File where you can apply your changes.

Another way to do this is to just copy the file .conf file with:

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

If you use CentOS or fedora, you need to change the rear end in prison.local from “Car” to “System”.

Activate backend in Fail2ban

if you use Ubuntu/Debian, this change is not required, although they also use systemd.

The jail file enables SSH for by default debian Y Ubuntu, but not inside CentOS. If you want to enable it, just change the following line /etc/fail2ban/jail.local:

activated = true

You can configure the condition after which an IP address will be banned. To this end, fail2ban applications ban time, find time Y maxretry.

  • ban time – This is the number of seconds an IP address will remain blocked (default 10 Minimum).
  • find time – The amount of time between login attempts before the host locks out. (Originally 10 Minimum). In other words, if fail2ban is configured to block an IP address afterwards 3 failed login attempts, the 3 Try this must be within the findtime(10 Protocol).
  • maxretry – Number of attempts to be made before a ban is imposed. (Originally 3).

Of course, you want to whitelist specific IP addresses. To configure such IP addresses, open /etc/fail2ban/jail.local with your favorite text editor and comment out the following line:

Ignoreip = ::1

Then you can enter the IP addresses you want to ignore. IP addresses must be separated by spaces or commas.

If you want to receive email notifications about the event, you need to configure the following settings in /etc/fail2ban/jail.local:

  • E-mail – E-mail address to which you will receive the notification.
  • sender – the sender you see when you receive the message.
  • sender – E-mail address from which fail2ban sends the e-mails.

The default value mta (Mail Transfer Agent) is set to send mail.

To receive notifications by email, you must also change the “Action” Customization of:

Action = %(action_)s

To one of them:

Action = %(action_mw)s Action = %(action_mwl)s

  • %(action_mw)s – will block the host and send an email with a whois report.
  • %(mwl_action)s – will lock the host, provide whois information and all relevant information from the log file.

Additional fail2ban jail settings

So far we’ve seen the basic configuration options. If you want to set up a jail, you must activate it in the prison.local Archive. The syntax is quite simple:

. . . activated = true

where to swap jail_to_enable with the real prison, for example, “ssh”. At the prison.local File, the following values ​​are predefined for the ssh service:

port = ssh log path = %(sshd_log)s

You can enable the filter that helps determine if a line in the log has failed. The filter value is actually a reference to a file with the name of the service followed by .conf. For example: /etc/fail2ban/filter.d/sshd.conf.

The syntax is:

filter = service

For example:

filter = sshd

You can review existing filters in the following directory: /etc/fail2ban/filter.d/.

Use the fail2ban client

Fail2ban comes with a client that can be used to check and change the current configuration. Since it offers many options, you can refer to the manual with:

# man fail2ban-client

Here are some of the basic commands you can use. To check the current status fail2ban or for a specific prison you can use:

# fail2ban client status

The result will look something like this:

Check the status of Fail2ban

For the individual jail you can do the following:

# fail2ban-sshd client status

Final words: How to protect Linux servers with fail2ban

I hope you understand this article How to protect Linux servers with fail2ban, if your answer is no, you can ask anything in the contact forum section related to this article. And if your answer is yes, then please share this article with your family and friends.

About Willie Ash

Check Also

Ubuntu Core brings real-time processing to Linux IoT

Most of you are familiar with Ubuntu as a desktop operating system; others know it …