[For Ubuntu/Debian] Installing "Fail2ban" for protection from brute-force attacks

LawrenceLawrence Moderator
edited April 2016 in Performance and Security
Introduction

"Fail2ban" checks your server logs to look for patterns that resemble an attack on your servers and services. If your servers are under an active attack, "fail2ban" bans the IP addresses that these attacks are originating from.

An active attack could be repeated fail attempts to sign onto your servers using SSH protocol with combination of different users and passwords. These are commonly known as brute force attacks.

When you’re ready to install fail2ban on Ubuntu 14.04, continue below. The steps below will get you started.


Installing

To install the tool on Ubuntu/Debian, run these commands:

sudo apt-get update
sudo apt-get install fail2ban -y

After installing the tool, its default configuration file should be installed at this location:

/etc/fail2ban/jail.conf

This is the file you’ll need to edit to suite your environments.

Many of the services that are needed to be protected are in the file already under their own sections configured and disabled. You must individually each of the service that are running on your servers.


Configuring (Optional)

To open the file and begin configuring it, run these commands:

sudo apt-get install nano
sudo nano /etc/fail2ban/jail.conf

By default the SSH protocol is enabled and protected. Without further changes, anyone trying to brute force their way into your server will automatically be banned or locked out after 6 tries. "Fail2ban" protects the default protocol ports. If your configure services on your server to use a non-standard port, then you must specify the new port number for the service.

For example, if you change your ssh port number from the default 22 to 2222, you must define it in the configuration.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Other services are configured but are not enabled. You can tell by the value false for enabled under each service.

To enable and protect a service that is running on your server, scroll down to the service section and change the value for Enabled to true.


Legend for configurations

Enabled - simply means that the server is enabled for monitoring by "fail2ban".

Port - is the port number of the service to monitor. By default, "fail2ban" monitors standard ports, so if you changed the port for a service to something other than the standard, you must specify it.

Filter - refers to the rules and strings that "fail2ban" uses to spot an attack against a particular service.

Logpath - refers to the log location that "fail2ban" tracks.. by default it’s the auth.log file. If that’s changed for you OS, you must specify it there too.


Conclusion

You should now be able to configure some basic banning policies for your services. "Fail2ban" is very easy to set up, and is a great way to protect any kind of service that uses authentication.
Sign In or Register to comment.