How to Harden a Server With Fail2ban

When you’re in the business of managing a dedicated server for your company, you can never be too careful or secure. 

A server’s primary function is to store files and act as a medium of sending and receiving information upon request. Hence, the need to protect it from password hackers or brute-force attacks.

Fail2ban monitors repeated connection requests that fail to authenticate on a server.

What is Fail2ban?

Fail2ban is a software framework that prevents intrusion from external brute-force attacks. The basic concept behind fail2ban is identifying suspicious patterns in authentication failures that may affect your computer server.

After a predetermined number of authentication errors from a server, fail2ban blocks the host’s IP address for a specific time or permanently.

The fail2ban application is written in Python and runs on Portable Operating System Interface (POSIX) systems such as Linux and UNIX.

It integrates with the system’s firewall and enforces bans on suspicious IP addresses by adding a new rule to existing iptables to block the attacking IP address. This keeps your server safe from botnets or scripted attacks.

We’ll discuss how to install and enable fail2ban on your server in this article. Let’s get started.

How to Install and Secure Fail2ban on Your Server?

Installing fail2ban on your server depends on your Linux distribution package.

For CentOS

To install the fail2ban package on CentOS, do the following steps.

  1. Ensure you update your system and install the EPEL repository for the system using this command:
  • yum update && yum install epel-release
  1. Then, type in this command to install fail2ban:
  • yum install fail2ban
  1. You can install Sendmail if you like extra email support, although you won’t need it to use fail2ban. Use this command:
  • yum install sendmail

You might encounter this error: no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock, while trying to install fail2ban application on CentOS.

If this happens, manually create the directory with this command: mkdir /var/run/fail2ban

For Fedora

To install the fail2ban package on Fedora, do the following steps.

  1. Update your system with this command:
  • dnf update
  1. Then install fail2ban using this command:
  • dnf install fail2ban
  1. Optionally, install sendmail for extra email support using this code:
  • dnf install sendmail

For Debian and Ubuntu

To install the fail2ban package on Debian and Ubuntu, do the following steps.

  1. Update your system using this command:
  • apt-get update && apt-get upgrade -y
  1. Next, install fail2ban with this command:
  • apt-get install fail2ban
  1. For extra email support using Sendmail, use this command:
  • apt-get install sendmail-bin sendmail

Now you’ve installed fail2ban, proceed to configuring and enabling it on your server.

How to Configure and Enable Fail2ban?

Two configuration files come with the default Fail2ban installation that you should use as a starting point. 

They are: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. 

You should avoid modifying these files since they could be overwritten during updates. The fail2ban package reads the configuration files by overriding the .conf file settings with the .local files.

The most common way to set up Fail2ban is to copy the jail.conf file to jail.local and make changes to the .local file. 

If you’re an advanced user, you could build your .local configuration file from the ground up. You can skip all unnecessary settings from the .conf file and keep the ones you want to override in the .local file.

Here’s how to go about it.

  1. Login into your server through SSH, and type the following command prompt:
  • cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  1. Use your preferred text editor to open the jail.local file.
  2. Look for the [DEFAULT] section, which contains the specific options mentioned below:

ignoreip: With this option, you can tell fail2ban which IP addresses or hostnames to ignore. 

You might, for example, add IP addresses or host names that you often use, such as the ones from your home or office. This prevents fail2ban from locking you away from your server. 

Use space to distinguish different addresses just as in this example: ignoreip = 127.0.0.1/8 96.174.216.35.

bantime: This option specifies the duration an IP address or host is banned in seconds. Without a suffix, the value defaults to 600 seconds (10 minutes). You may change this value to your liking and use a negative number to ban an IP address permanently.

findtime: This option is used in conjunction with maxretry. It specifies the duration before a ban is set after a predetermined number of failures. 

If it reaches the maximum retry amount within a specific bantime, the fail2ban application bars the host or IP address from the server.

maxretry: This value specifies how many failures a host may have before being barred. The default value is five times.

  1. After configuring these fail2ban’s options above, you can enable and disable jails for the services and protocols you want to secure. 

SSH login attempts are monitored by default by fail2ban (you can search for the [ssh-iptables] section in the jail.local file to view the specific settings for the SSH jail).

Fail2ban monitors SSH login attempts by default. To see the specific settings for the SSH jail, check for the [ssh-iptables] section in the jail.local file.

For many protocols, the jail.local file contains default jail settings. 

Changing the enabled = false line to enabled = true and restarting fail2ban is often all you need to do to allow a jail. For added versatility, you can build custom jails and filters.

When you’re done, save your changes to the jail.local file, and use this command: service fail2ban restart to restart the fail2ban package and load the updated configuration.

Email Notifications

When an IP address is banned, Fail2ban can send email alerts. To receive emails, you’ll need an SMTP server installed and the default action set to %(action mw)s.

Using the % (action mw)s bans the malicious IP and sends a whois report via email. Set the action to %(action mwl)s if you want related logs added in the email.

Stopping the Fail2ban Service

If you want to avoid using your fail2ban service at any time, type the following into the command prompt:

Fail2ban-client stop

You must add two additional commands: 

  • Systemtl stop fail2ban, and
  • Systemctl disable fail2ban 

to CentOS 7 and Fedora to fully stop and disable the fail2ban package.

Final Thoughts

Fail2ban is a simple and effective solution to a difficult problem. It requires minimal setup and has minimal operating overhead costs or workload to you or your computer.

Rado

Author

Working in the web hosting industry for over 13 years, Rado has inevitably got some insight into the industry. A digital marketer by education, Rado is always putting himself in the client's shoes, trying to see what's best for THEM first. A man of the fine detail, you can often find him spending 10+ minutes wondering over a missing comma or slightly skewed design.

Write a Comment

Required*