Step-By-Step Guide To Setting Up Fail2ban

Let's keep going with our series of articles on Linux server security. In our last post, we talked about Linux firewall and blocking individual IP addresses of users who might try to pick at your ‘root’ password. Of course, you can look for logs and add suspicious IP’s to firewall rules, but that can be time consuming so we're gonna cover a more efficient method . That method is fail2ban, used by Linux server administrators everywhere, and we're going to use it to automatically add new IPs to a firewall block list if those IPs fail a few login attempts. We'll need to install EPEL repository and fail2ban package first:


[root@ServerSuit ~]# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@ServerSuit ~]# yum install fail2ban

Then let’s go to fail2ban directory and set basic configuration settings in ‘fail2ban.local’ configuration file:


[root@ServerSuit ~]# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
[root@ServerSuit ~]# touch /var/log/fail2ban.log
[root@ServerSuit ~]# nano /etc/fail2ban/fail2ban.local

Make sure to change directives in configuration file as shown here:


loglevel = INFO
logtarget = /var/log/fail2ban.log
dbpurgeage = 604800

Fail2ban logs will be writed in ‘/var/log/fail2ban.log’ and it’s database will keep all records for 7 days. Then, we need to configure access rules:


[root@ServerSuit ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[root@ServerSuit ~]# nano /etc/fail2ban/jail.local

Now we need to set default settings in jail configuration file:


ignoreip = 127.0.0.1/0
bantime=600
findtime=600
maxretry=5

You can add your own IP address to ‘ignoreip’ setting- separated with a space- to ensure that your IPs won't be banned. Settings above will ensure that every IP, other than the ones you designated to be ignored, will be banned for 600 seconds if they fail to login  5 times within 600 seconds. Finally, last we need to add SSH related configuration to same file:


[sshd]
Enabled = true
port    = ssh
logpath = %(sshd_log)s

Now, enable autostart of fail2ban server and start it:


[root@ServerSuit ~]# chkconfig fail2ban on
[root@ServerSuit ~]# service fail2ban start

Now try to see if it works. If you try to login with wrong password intentionally, you should see the following in ‘/var/logs/fail2ban.log’ file:


2016-04-04 03:26:49,878 fail2ban.filter   [14695]: INFO    [sshd] Found 
2016-04-04 03:26:51,247 fail2ban.filter   [14695]: INFO    [sshd] Found 
2016-04-04 03:26:57,721 fail2ban.filter   [14695]: INFO    [sshd] Found 
2016-04-04 03:27:04,751 fail2ban.filter   [14695]: INFO    [sshd] Found 
2016-04-04 03:27:09,198 fail2ban.filter   [14695]: INFO    [sshd] Found 
2016-04-04 03:27:10,003 fail2ban.actions  [14695]: NOTICE  [sshd] Ban 
2016-04-04 03:37:10,950 fail2ban.actions  [14695]: NOTICE  [sshd] Unban 

Notice that your IP got unbanned after 10 minutes just the way we set it up! You can look for banned IP’s:


[root@ServerSuit ~]# fail2ban-client -i

Fail2Ban v0.9.3 reads the log file that contains password failure reports and bans the corresponding IP addresses using firewall rules.


fail2ban> status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     5
|  `- File list:        /var/log/secure
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list: 
fail2ban>

And it will release banned IPs if you end up locking yourself from the server from one of your own IPs:


[root@LinuxSuitTest ~]# fail2ban-client set sshd unbanip 

Fail2ban is a brilliant solution which supports a lot of applications, including Apache, exim, dovecot,proFTPd and so on. In this article I showed you how to configure it to protect your server from a SSH bruteforce attack.

ServerSuit, of course, can configure it for your server as soon as it's added to the dashboard! Fail2ban is among the many preconfigured packages we've curated for you to make server setup, administration and management as easy as possible. So even though, with this article, you now know how to setup fail2ban, with ServerSuit you won't even have to! Registration is free, and you get a no-commitment 30-day free trial when you first register. Give it a try!

Till next time!

April 21 2016

Add or review comments

Please leave your comment

Existing comments

Comments 0


Get notified about new publications and product updates.
Please note we do not share information to anyone.