How to Harden a Server With Fail2ban

When you’re in the business of managing a dedicated server for your company, you can never be too careful or secure. 

A server’s primary function is to store files and act as a medium of sending and receiving information upon request. Hence, the need to protect it from password hackers or brute-force attacks.

Fail2ban monitors repeated connection requests that fail to authenticate on a server.

What is Fail2ban?

Fail2ban is a software framework that prevents intrusion from external brute-force attacks. The basic concept behind fail2ban is identifying suspicious patterns in authentication failures that may affect your computer server.

After a predetermined number of authentication errors from a server, fail2ban blocks the host’s IP address for a specific time or permanently.

The fail2ban application is written in Python and runs on Portable Operating System Interface (POSIX) systems such as Linux and UNIX.

It integrates with the system’s firewall and enforces bans on suspicious IP addresses by adding a new rule to existing iptables to block the attacking IP address. This keeps your server safe from botnets or scripted attacks.

We’ll discuss how to install and enable fail2ban on your server in this article. Let’s get started.

How to Install and Secure Fail2ban on Your Server?

Installing Fail2ban requires root access. If you don’t log into the server with the root user, the commands you see below will need to be accompanied by the sudo prefix.

Here are the exact steps:

For CentOS

To install the fail2ban package on CentOS, do the following steps.

  1. Ensure you update your system and install the EPEL repository for the system using this command:
  • yum update && yum install epel-release
  1. Then, type in this command to install fail2ban:
  • yum install fail2ban
  1. You can install Sendmail if you like extra email support, although you won’t need it to use fail2ban. Use this command:
  • yum install sendmail

You might encounter this error: no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock, while trying to install fail2ban application on CentOS.

If this happens, manually create the directory with this command: mkdir /var/run/fail2ban

For Fedora

To install the fail2ban package on Fedora, do the following steps.

  1. Update your system with this command:
  • dnf update
  1. Then install fail2ban using this command:
  • dnf install fail2ban
  1. Optionally, install sendmail for extra email support using this code:
  • dnf install sendmail

For Debian and Ubuntu

To install the fail2ban package on Debian and Ubuntu, do the following steps.

  1. Update your system using this command:
  • apt-get update && apt-get upgrade -y
  1. Next, install fail2ban with this command:
  • apt-get install fail2ban
  1. For extra email support using Sendmail, use this command:
  • apt-get install sendmail-bin sendmail

Now you’ve installed fail2ban, proceed to configuring and enabling it on your server.

How to Configure and Enable Fail2ban?

Two configuration files come with the default Fail2ban installation that you should use as a starting point. 

They are: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. 

You should avoid modifying these files since they could be overwritten during updates. The fail2ban package reads the configuration files by overriding the .conf file settings with the .local files.

The most common way to set up Fail2ban is to copy the jail.conf file to jail.local and make changes to the .local file. 

If you’re an advanced user, you could build your .local configuration file from the ground up. You can skip all unnecessary settings from the .conf file and keep the ones you want to override in the .local file.

Here’s how to go about it.

  1. Login into your server through SSH, and type the following command prompt:
  • cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  1. Use your preferred text editor to open the jail.local file.
  2. Look for the [DEFAULT] section, which contains the specific options mentioned below:

ignoreip: With this option, you can tell fail2ban which IP addresses or hostnames to ignore. 

You might, for example, add IP addresses or host names that you often use, such as the ones from your home or office. This prevents fail2ban from locking you away from your server. 

Use space to distinguish different addresses just as in this example: ignoreip = 127.0.0.1/8 96.174.216.35.

bantime: This option specifies the duration an IP address or host is banned in seconds. Without a suffix, the value defaults to 600 seconds (10 minutes). You may change this value to your liking and use a negative number to ban an IP address permanently.

findtime: This option is used in conjunction with maxretry. It specifies the duration before a ban is set after a predetermined number of failures. 

If it reaches the maximum retry amount within a specific bantime, the fail2ban application bars the host or IP address from the server.

maxretry: This value specifies how many failures a host may have before being barred. The default value is five times.

  1. After configuring these fail2ban’s options above, you can enable and disable jails for the services and protocols you want to secure. 

SSH login attempts are monitored by default by fail2ban (you can search for the [ssh-iptables] section in the jail.local file to view the specific settings for the SSH jail).

Fail2ban monitors SSH login attempts by default. To see the specific settings for the SSH jail, check for the [ssh-iptables] section in the jail.local file.

For many protocols, the jail.local file contains default jail settings. 

Changing the enabled = false line to enabled = true and restarting fail2ban is often all you need to do to allow a jail. For added versatility, you can build custom jails and filters.

When you’re done, save your changes to the jail.local file, and use this command: service fail2ban restart to restart the fail2ban package and load the updated configuration.

Email Notifications

When an IP address is banned, Fail2ban can send email alerts. To receive emails, you’ll need an SMTP server installed and the default action set to %(action mw)s.

Using the % (action mw)s bans the malicious IP and sends a whois report via email. Set the action to %(action mwl)s if you want related logs added in the email.

Stopping the Fail2ban Service

If you want to avoid using your fail2ban service at any time, type the following into the command prompt:

Fail2ban-client stop

You must add two additional commands: 

  • Systemctl stop fail2ban, and
  • Systemctl disable fail2ban 

to CentOS 7 and Fedora to fully stop and disable the fail2ban package.

Final Thoughts

Fail2ban is a simple and effective solution to a difficult problem. It requires minimal setup and has minimal operating overhead costs or workload to you or your computer.

Was this helpful?

What’s your goal today?

1. Find the right Web hosting solution

If you’re looking for industry-leading speed, ease of use and reliability Try ScalaHosting with an unconditional money-back guarantee.

2. Make your website lighting fast

We guarantee to make your WordPress site load in less than 2 seconds on a managed VPS with ScalaHosting or give your money back. Fill out the form, and we’ll be in touch.

Please enter a valid name
Please enter a valid website
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

3. Streamline your clients’ hosting experience

If you’re a web studio or development agency hosting more than 30 websites, schedule a call with Vlad, our co-founder and CTO, and see how we can deliver unmatched value to both your business and your clients.

Photo

Need a custom cluster or professional advice?

Book a meeting and get a free 30-minute consultation with Vlad, co-founder & CTO of Scala Hosting, who will help you select, design and build the right solution - from a single data center cluster to a multi-region & multi-datacenter high availability cluster with hundreds of servers.

Book a free consultation

4. Learn how to grow your website in 2024

An all-star team of SEO and web influencers are sharing their secret knowledge for the first time in years. Learn about the future of SEO, Web Design best practices and the secrets to getting the foundation for your website to thrive. Watch the exclusive webinar.

An Exclusive Insiders Look Behind The SEO and Web Development Curtain

Rado
Author

Working in the web hosting industry for over 13 years, Rado has inevitably got some insight into the industry. A digital marketer by education, Rado is always putting himself in the client's shoes, trying to see what's best for THEM first. A man of the fine detail, you can often find him spending 10+ minutes wondering over a missing comma or slightly skewed design.