{"id":1559,"date":"2021-05-20T08:46:43","date_gmt":"2021-05-20T05:46:43","guid":{"rendered":"https:\/\/www.scalahosting.com\/kb\/?p=1559"},"modified":"2022-05-19T18:40:45","modified_gmt":"2022-05-19T15:40:45","slug":"how-to-harden-a-server-with-fail2ban","status":"publish","type":"post","link":"https:\/\/www.scalahosting.com\/kb\/how-to-harden-a-server-with-fail2ban\/","title":{"rendered":"How to Harden a Server With Fail2ban"},"content":{"rendered":"

When you\u2019re in the business of managing a dedicated server for your company,<\/span> you can never be too careful or secure.\u00a0<\/b><\/p>\n

A server\u2019s primary function is to store files and act as a medium of sending and receiving information upon request. Hence, the need to protect it from password hackers or brute-force attacks.<\/span><\/p>\n

Fail2ban monitors <\/b>repeated connection requests that fail to authenticate on a server.<\/span><\/p>\n

What is Fail2ban?<\/b><\/h2>\n

Fail2ban is a software framework that<\/span> prevents intrusion from external brute-force attacks. <\/b>The basic concept behind fail2ban is identifying suspicious patterns in authentication failures that may affect your computer server.<\/span><\/p>\n

After a predetermined number of authentication errors from a server, fail2ban blocks the host’s IP address for a specific time or permanently.<\/span><\/p>\n

The fail2ban application is written in Python and runs on Portable Operating System Interface (POSIX) systems such as <\/span>Linux<\/b><\/a> and UNIX.<\/b><\/p>\n

It integrates with the system\u2019s firewall and enforces bans on suspicious IP addresses by adding a new rule to existing iptables<\/span> to block the attacking <\/b>IP address<\/b><\/a>.<\/b> This keeps your server safe from botnets or scripted attacks.<\/span><\/p>\n

We\u2019ll discuss how to install and enable fail2ban on your server in this article. Let\u2019s get started.<\/span><\/p>\n

How to Install and Secure Fail2ban on Your Server?<\/b><\/h2>\n

Installing Fail2ban requires root access. If you don’t log into the server with the root user, the commands you see below will need to be accompanied by the sudo<\/em> prefix.
\n<\/span><\/p>\n

Here are the exact steps:<\/p>\n

For CentOS<\/b><\/h3>\n

To install the fail2ban package on CentOS, do the following steps.<\/span><\/p>\n

    \n
  1. Ensure you update your system and install the EPEL repository for the system using this command:<\/span><\/li>\n<\/ol>\n
      \n
    • yum update && yum install epel-release<\/b><\/li>\n<\/ul>\n
        \n
      1. Then, type in this command to install fail2ban:<\/span><\/li>\n<\/ol>\n
          \n
        • yum install fail2ban<\/b><\/li>\n<\/ul>\n
            \n
          1. You can install Sendmail if you like extra email support, although you won\u2019t need it to use fail2ban. Use this command:<\/span><\/li>\n<\/ol>\n
              \n
            • yum install sendmail<\/b><\/li>\n<\/ul>\n

              You might encounter this error: <\/span>no directory<\/b> \/var\/run\/fail2ban to contain the socket file \/var\/run\/fail2ban\/fail2ban.sock, <\/b>while trying to install fail2ban application on CentOS.<\/span><\/p>\n

              If this happens, manually create the directory with this command:<\/span> mkdir \/var\/run\/fail2ban<\/b><\/p>\n

              For Fedora<\/b><\/h3>\n

              To install the fail2ban package on Fedora, do the following steps.<\/span><\/p>\n

                \n
              1. Update your system with this command:<\/span><\/li>\n<\/ol>\n
                  \n
                • dnf update<\/b><\/li>\n<\/ul>\n
                    \n
                  1. Then install fail2ban using this command:<\/span><\/li>\n<\/ol>\n
                      \n
                    • dnf install fail2ban<\/b><\/li>\n<\/ul>\n
                        \n
                      1. Optionally, install sendmail for extra email support using this code:<\/span><\/li>\n<\/ol>\n
                          \n
                        • dnf install sendmail<\/b><\/li>\n<\/ul>\n

                          For Debian and Ubuntu<\/b><\/h3>\n

                          To install the fail2ban package on Debian and Ubuntu, do the following steps.<\/span><\/p>\n

                            \n
                          1. Update your system using this command:<\/span><\/li>\n<\/ol>\n
                              \n
                            • apt-get update && apt-get upgrade -y<\/b><\/li>\n<\/ul>\n
                                \n
                              1. Next, install fail2ban with this command:<\/span><\/li>\n<\/ol>\n
                                  \n
                                • apt-get install fail2ban<\/b><\/li>\n<\/ul>\n
                                    \n
                                  1. For extra email support using Sendmail, use this command:<\/span><\/li>\n<\/ol>\n
                                      \n
                                    • apt-get install sendmail-bin sendmail<\/b><\/li>\n<\/ul>\n

                                      Now you\u2019ve installed fail2ban, proceed to configuring and enabling it on your server.<\/span><\/p>\n

                                      How to Configure and Enable Fail2ban?<\/b><\/h2>\n

                                      Two configuration files come with the default Fail2ban installation that you should use as a starting point.\u00a0<\/span><\/p>\n

                                      They are: <\/span>\/etc\/fail2ban\/jail.conf<\/b> and <\/span>\/etc\/fail2ban\/jail.d\/defaults-debian.conf.\u00a0<\/b><\/p>\n

                                      You should avoid modifying these files since they could be overwritten during updates. <\/span>The fail2ban package<\/b> reads the configuration files by overriding the .conf file settings with the .local files.<\/span><\/p>\n

                                      The most common way to set up Fail2ban is to copy the jail.conf file to jail.local and make changes to the .local file.\u00a0<\/span><\/p>\n

                                      If you\u2019re an advanced user, you could build your .local configuration file from the ground up. You can skip all unnecessary settings from the .conf file and keep the ones you want to override in the .local file.<\/span><\/p>\n

                                      Here\u2019s how to go about it.<\/b><\/p>\n

                                        \n
                                      1. Login into your server through SSH, and type the following command prompt:<\/span><\/li>\n<\/ol>\n
                                          \n
                                        • cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/b><\/li>\n<\/ul>\n
                                            \n
                                          1. Use your preferred text editor to open the <\/span>jail.local<\/b> file.<\/span><\/li>\n
                                          2. Look for the [DEFAULT] section, which contains the specific options mentioned below:<\/span><\/li>\n<\/ol>\n

                                            ignoreip:<\/b> With this option, you can tell fail2ban which IP addresses or hostnames to ignore.\u00a0<\/span><\/p>\n

                                            You might, for example, add IP addresses or host names that you often use, such as the ones from your home or office. This prevents fail2ban from locking you away from your server.\u00a0<\/span><\/p>\n

                                            Use space to distinguish different addresses just as in this example: i<\/span>gnoreip = 127.0.0.1\/8 96.174.216.35.<\/b><\/p>\n

                                            bantime:<\/b> This option specifies the duration an IP address or host is banned in seconds. Without a suffix, the value defaults to 600 seconds (10 minutes). You may change this value to your liking and use a negative number to ban an IP address permanently.<\/span><\/p>\n

                                            findtime: <\/b>This option is used in conjunction with <\/span>maxretry<\/b>. It specifies the duration before a ban is set after a predetermined number of failures.\u00a0<\/span><\/p>\n

                                            If it reaches the maximum retry amount within a specific bantime, the fail2ban application bars the host or IP address from the server.<\/span><\/p>\n

                                            maxretry<\/b>: This value specifies how many failures a host may have before being barred. The default value is five times.<\/span><\/p>\n

                                              \n
                                            1. After configuring these fail2ban\u2019s options above, you can enable and disable jails for the services and protocols you want to secure.\u00a0<\/span><\/li>\n<\/ol>\n

                                              SSH login attempts are monitored by default by fail2ban (you can search for the [ssh-iptables] section in the <\/span>jail.local<\/b> file to view the specific settings for the SSH jail).<\/span><\/p>\n

                                              Fail2ban monitors SSH login attempts by default. To see the specific settings for the SSH jail, check for the [ssh-iptables] section in the<\/span> jail.local <\/b>file.<\/span><\/p>\n

                                              For many protocols, the <\/span>jail.local <\/b>file contains default jail settings.\u00a0<\/span><\/p>\n

                                              Changing the <\/span>enabled = false line to enabled = true<\/b> and restarting fail2ban is often all you need to do to allow a jail. For added versatility, you can build custom jails and filters.<\/span><\/p>\n

                                              When you\u2019re done, save your changes to the <\/span>jail.local <\/b>file, and use this command: <\/span>service fail2ban restart <\/b>to restart the fail2ban package and load the updated configuration.<\/span><\/p>\n

                                              Email Notifications<\/b><\/h3>\n

                                              When an IP address is banned, Fail2ban can send email alerts. To receive emails, you’ll need an SMTP server installed and the default action set to<\/span> %(action mw)s.<\/b><\/p>\n

                                              Using the <\/span>% (action mw)s<\/b> bans the malicious IP and sends a whois report via email. Set the action to <\/span>%(action mwl)s <\/b>if you want related logs added in the email.<\/span><\/p>\n

                                              Stopping the Fail2ban Service<\/b><\/h3>\n

                                              If you want to avoid using your fail2ban service at any time, type the following into the command prompt:<\/span><\/p>\n

                                              Fail2ban-client stop<\/b><\/p>\n

                                              You must add two additional commands:\u00a0<\/span><\/p>\n

                                                \n
                                              • Systemctl<\/span> stop fail2ban, and<\/b><\/li>\n<\/ul>\n
                                                  \n
                                                • Systemctl disable fail2ban\u00a0<\/b><\/li>\n<\/ul>\n

                                                  to CentOS 7 and Fedora to fully stop and disable the fail2ban package.<\/span><\/p>\n

                                                  Final Thoughts<\/b><\/h2>\n

                                                  Fail2ban is a simple and effective solution to a difficult problem. It requires<\/span> minimal setup and has minimal operating<\/b> overhead costs or workload to you or your computer.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

                                                  When you\u2019re in the business of managing a dedicated server for your company, you can never be too careful or secure.\u00a0 A server\u2019s primary function is to store files and act as a medium of sending and receiving information upon request. Hence, the need to protect it from password hackers or brute-force attacks. Fail2ban monitors […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-1559","post","type-post","status-publish","format-standard","hentry","category-web-hosting"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/1559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/comments?post=1559"}],"version-history":[{"count":6,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/1559\/revisions"}],"predecessor-version":[{"id":4598,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/posts\/1559\/revisions\/4598"}],"wp:attachment":[{"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/media?parent=1559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/categories?post=1559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scalahosting.com\/kb\/wp-json\/wp\/v2\/tags?post=1559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}