How to protect Linux server with fail2ban 2022 trick

0

This tutorial is about Linux server protection with fail2ban. We will do our best for you to understand this guide. I hope you will like this blog How to protect Linux server with fail2ban. If your answer is yes, please share after reading this.

Check how to protect Linux server with fail2ban

When it comes to maintaining a Linux server, improving server security should be one of your primary goals. You can often notice different brute force login attempts, web flooding, exploit hunting, and more by analyzing your server logs. You can check your server logs and set additional iptables rules to block problematic IP addresses using intrusion protection software such as fail2ban. This article will walk you through installing fail2ban and configuring it to defend your Linux system against brute force attacks.

How to Install Fail2Ban on Linux Systems

How to Install Fail2Ban on Linux Systems

Installation of fail2ban it’s relatively simple:

Install Fail2Ban on CentOS/RHEL

First, update your packages, enable the Spell deposit and installation fail2ban as shown.

# yum update # yum install epel-release # yum install fail2ban

Install Fail2Ban on Debian/Ubuntu

First, update your packages and install fail2ban as shown.

# apt-get update && apt-get upgrade -y # apt-get install fail2ban

Optionally, if you want to enable mail support (for mail notifications), you can install sendmail.

# yum install sendmail
# apt-get install sendmail -bin sendmail

To allow fail2ban Yes send an email use the following commands:

# systemctl start fail2ban # systemctl enable fail2ban # systemctl start sendmail # systemctl enable sendmail

How to Configure Fail2ban on Linux Systems

Fault, fail2ban uses the .conf files located in /etc/fail2ban/ which are read first. However, these can be replaced by .local files located in the same directory.

Therefore, the .local file does not need to include all of the settings from the .conf file, only those that you want to override. Changes should be made to .local files, not .conf. This will prevent changes from being overwritten when updating the fail2ban package.

For the purposes of this tutorial, we will copy the existing file fail2ban.conf file to fail2ban.local.

# cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

You can now make changes to the .local file using your favorite text editor. The values ​​you can change are:

  • logging level – it is the level of detail that will be recorded. The possible options are:
    • CRITICAL
    • ERROR
    • WARNING
    • WARNING
    • INFORMATION
    • DEBUG
  • log target – save the actions in a specific file. The default is /var/log/fail2ban.log. However, you can change it to:
    • STDOUT: all data output
    • STDERR – show all errors
    • SYSLOG: message-based logging
    • File: output to a file
  • Plug – directory where the socket file will be placed.
  • pid file – pid file location.

Configure Fail2ban jail.local

One of the most important fail2ban files is jail.conf, which defines your jails. This is where you define the services for which fail2ban should be activated.

As we mentioned earlier, .conf files can change during upgrades, so you should create a prison.local file where you can apply your changes.

Another way is to just copy the .conf file with:

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In case you use CentOS Where felt, you will need to change the background in prison.local from “self” at “system”.

Activate the backend in Fail2ban

if you use Ubuntu/Debian, there is no need to make this modification, although they also use systemd.

The jail file will enable SSH by default for DebianName Yes ubuntu, but not in CentOS. If you want to enable it, just modify the following line in /etc/fail2ban/jail.local:

enabled = true

You can configure the circumstances after which an IP address is blocked. For this purpose, fail2ban apps blackout time, find the time Yes maxretry.

  • blackout time – this is the number of seconds an IP address will remain blocked (by default ten min).
  • find the time – the duration between connection attempts, before the host is banned. (fault ten min). In other words, if fail2ban is configured to block an IP address after 3 failed login attempts, those 3 retries, this must be done within findtime(ten minutes).
  • maxretry – number of attempts to perform before a ban is applied. (fault 3).

Of course, you will want to add certain IP addresses to the whitelist. To configure these IP addresses, open /etc/fail2ban/jail.local with your favorite text editor and uncomment the following line:

ignoreip=127.0.0.1/8::1

Then you can put the IP addresses you want to ignore. IP addresses must be separated by spaces or commas.

If you want to receive email alerts about the event, you will need to configure the following settings in /etc/fail2ban/jail.local:

  • E-mail – e-mail address, where you will receive the notification.
  • sender’s name – the sender you will see when you receive the message.
  • sender – email address from which fail2ban will send emails.

The default mta (mail transfer agent) is set to send an email.

To receive email notifications, you will also need to change the “action” adjustment of:

Action = %(action_)s

To one of them:

action = %(action_mw)s action = %(action_mwl)s

  • %(action_mw)s – will ban the host and send an email with a whois report.
  • %(mwl_action)s – will ban the host, provide whois information and all relevant log file information.

Additional Fail2ban Jail Settings

So far we have seen the basic configuration options. If you want to configure a prison, you will have to activate it in the prison.local Archive. The syntax is quite simple:

. . . enabled = true

where to replace jail_to_enable with the real prison, for example, “hush”. AT prison.local file, the following values ​​will be predefined for the ssh service:

port = ssh log path = %(sshd_log)s

You can enable the filter which will help identify if a log line is failing. The filter value is actually a reference to a file with the service name followed by .conf. For example: /etc/fail2ban/filter.d/sshd.conf.

The syntax is:

filter = service

For example:

filter=sshd

You can consult the existing filters in the following directory: /etc/fail2ban/filter.d/.

Use fail2ban-client

Fail2ban comes with a client that can be used to review and modify the current configuration. Since it offers many options, you can refer to its manual with:

# man fail2ban-client

Here you will see some of the basic commands you can use. To check the current status of fail2ban or for a specific prison, you can use:

# fail2ban client status

The result will look like this:

Check Fail2ban Status

For the individual jail, you can run:

# fail2ban-sshd client status

Final Words: How to Protect Linux Server with fail2ban

Hope you understand this article How to protect Linux server with fail2ban, if your answer is no, you can ask anything via the contact forum section linked to this article. And if your answer is yes, share this article with your family and friends.

Share.

About Author

Comments are closed.