Let's keep going with our series of articles on Linux server security. In our last post, we talked about Linux firewall and blocking individual IP addresses of users who might try to pick at your ‘root’ password. Of course, you can look for logs and add suspicious IP’s to firewall rules, but that can be time consuming so we're gonna cover a more efficient method . That method is fail2ban, used by Linux server administrators everywhere, and we're going to use it to automatically add new IPs to a firewall block list if those IPs fail a few login attempts. We'll need to install EPEL repository and fail2ban package first:
[root@ServerSuit ~]# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm [root@ServerSuit ~]# yum install fail2ban
Then let’s go to fail2ban directory and set basic configuration settings in ‘fail2ban.local’ configuration file:
[root@ServerSuit ~]# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local [root@ServerSuit ~]# touch /var/log/fail2ban.log [root@ServerSuit ~]# nano /etc/fail2ban/fail2ban.local
Make sure to change directives in configuration file as shown here:
loglevel = INFO logtarget = /var/log/fail2ban.log dbpurgeage = 604800
Fail2ban logs will be writed in ‘/var/log/fail2ban.log’ and it’s database will keep all records for 7 days. Then, we need to configure access rules:
[root@ServerSuit ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local [root@ServerSuit ~]# nano /etc/fail2ban/jail.local
Now we need to set default settings in jail configuration file:
ignoreip = 127.0.0.1/0 bantime=600 findtime=600 maxretry=5
You can add your own IP address to ‘ignoreip’ setting- separated with a space- to ensure that your IPs won't be banned. Settings above will ensure that every IP, other than the ones you designated to be ignored, will be banned for 600 seconds if they fail to login 5 times within 600 seconds. Finally, last we need to add SSH related configuration to same file:
[sshd] Enabled = true port = ssh logpath = %(sshd_log)s
Now, enable autostart of fail2ban server and start it:
[root@ServerSuit ~]# chkconfig fail2ban on [root@ServerSuit ~]# service fail2ban start
Now try to see if it works. If you try to login with wrong password intentionally, you should see the following in ‘/var/logs/fail2ban.log’ file:
2016-04-04 03:26:49,878 fail2ban.filter : INFO [sshd] Found 2016-04-04 03:26:51,247 fail2ban.filter : INFO [sshd] Found 2016-04-04 03:26:57,721 fail2ban.filter : INFO [sshd] Found 2016-04-04 03:27:04,751 fail2ban.filter : INFO [sshd] Found 2016-04-04 03:27:09,198 fail2ban.filter : INFO [sshd] Found 2016-04-04 03:27:10,003 fail2ban.actions : NOTICE [sshd] Ban 2016-04-04 03:37:10,950 fail2ban.actions : NOTICE [sshd] Unban
Notice that your IP got unbanned after 10 minutes just the way we set it up! You can look for banned IP’s:
[root@ServerSuit ~]# fail2ban-client -i
Fail2Ban v0.9.3 reads the log file that contains password failure reports and bans the corresponding IP addresses using firewall rules.
fail2ban> status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list: /var/log/secure `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: fail2ban>
And it will release banned IPs if you end up locking yourself from the server from one of your own IPs:
[root@LinuxSuitTest ~]# fail2ban-client set sshd unbanip
Fail2ban is a brilliant solution which supports a lot of applications, including Apache, exim, dovecot,proFTPd and so on. In this article I showed you how to configure it to protect your server from a SSH bruteforce attack.
ServerSuit, of course, can configure it for your server as soon as it's added to the dashboard! Fail2ban is among the many preconfigured packages we've curated for you to make server setup, administration and management as easy as possible. So even though, with this article, you now know how to setup fail2ban, with ServerSuit you won't even have to! Registration is free, and you get a no-commitment 30-day free trial when you first register. Give it a try!
Till next time!