Protecting your Linux server - Installing fail2ban

Protecting your Linux server - Installing fail2ban
Photo by Clint Patterson / Unsplash

Right as soon as your Linux server is available to the internet, it'll be consistently swarmed by login attempts. Here we explore a tool designed to help tackle this problem.

Understanding Fail2ban

Fail2ban, a powerful open-source intrusion prevention tool, stands as a sentinel against malicious activities by detecting and mitigating suspicious behavior. Let's explore what Fail2ban is and delve into configuring it on popular Fedora (or other RHEL) and Ubuntu (Debian-based) distributions.

⚠️
If you're not already using a key-pair as login and disabled root login, fail2ban is generally a good next step.

Fail2ban acts as a safeguard by monitoring logs for repeated failed login attempts or other defined suspicious activities. Upon detecting such activities from specific IP addresses, Fail2ban takes action, such as temporarily banning those IPs or applying firewall rules to restrict access.

Installing Fail2ban

Fedora/RHEL:

On Fedora/RHEL systems, the installation process is straightforward. Open the terminal and enter the following commands:

sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Ubuntu/Debian:

For Debian-based systems, the steps are equally simple:

sudo apt update -y
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Confirm installation

To confirm installation and make sure it is active, run the following command.

sudo systemctl status fail2ban
Did you receive the follwing error? Failed during configuration: Have not found any log file for sshd jail

As of 28.12.2023 there is a bug that makes fail2ban fail on Debian-based systems, even on a fresh install. To fix it, create a /etc/fail2ban/jail.local file and enter the follwing:

[DEFAULT]
# Debian 12 has no log files, just journalctl
backend = systemd

# "bantime" is the number of seconds that a host is banned.
bantime = 1d
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 1h

[sshd]
enabled = true

That's the minimum

From here on out, you can now let fail2ban handle everything for you. It has some pretty sane defaults, and most of the time there's not that many reasons to touch it. You're now protected against most brute-force attacks.

However, let's continue exploring its other possibilities.

Configuration

1. Configuration File

The main configuration file for Fail2ban is located at /etc/fail2ban/jail.conf. To make customizations without altering the original file, create a local override:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Local overrides are great, as they are separate from the main configuration file. You can also straight up edit the configuration file, but this way, an update won't overwrite your changes.

2. Basic Configuration

Open the jail.local file using a text editor (such as nano or vim) and navigate to the [DEFAULT] section. Here are some essential configurations:

  • bantime: Specifies the duration (in seconds) an IP is banned after triggering a rule. Default is 600 seconds (10 minutes).
  • findtime: Defines the duration (in seconds) within which failed login attempts are counted. Default is 600 seconds.
  • maxretry: Determines the number of failures allowed before an IP is banned. Default is 5.

3. Custom Rules

Add custom rules to monitor and ban specific services or patterns. For instance, to protect SSH:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

4. Restart Fail2ban

After configuring, restart Fail2ban to apply the changes:

sudo systemctl restart fail2ban

Verifying Fail2ban

To ensure Fail2ban is operational, check its status:

sudo fail2ban-client status

Fine-Tuning Fail2ban

Whitelisting IPs:

While Fail2ban automatically bans IPs after exceeding the defined threshold, whitelisting allows certain IPs to bypass this process. This is crucial for ensuring essential services or known safe IPs are not mistakenly blocked:

# Add trusted IPs to the whitelist
sudo nano /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 192.168.1.1/24 10.0.0.1

Email Notifications

Receive notifications about banned IPs and other important events by configuring email notifications. Modify the [DEFAULT] section in jail.local:

[DEFAULT]
destemail = [email protected]

Monitoring Services

Extend Fail2ban's protection to various services by creating custom filters and rules. Common services include SSH, HTTP, FTP, and more. The flexibility to monitor different services ensures comprehensive security coverage.

Custom Actions

Craft custom actions to execute when an IP gets banned or unbanned. This could involve executing scripts, sending alerts, or integrating with third-party tools for a more tailored response.

Best Practices

Regular Log Inspection:

Continuously monitor logs to analyze patterns and adjust Fail2ban configurations accordingly. By understanding attack trends, you can fine-tune rules for better protection.

Regular Updates:

Stay updated with Fail2ban releases and security advisories. Regular updates ensure you benefit from the latest enhancements and patches against emerging threats.

man in black hoodie using macbook
Photo by Azamat E / Unsplash

Conclusion

Fail2ban stands as an indispensable guardian, but its efficacy lies in the synergy between its configuration and continuous monitoring. Regularly revisiting settings, analyzing logs, and adapting to evolving threats fortify your server's defenses comprehensively.