Having your own server means that you will have to protect it against network attacks which can come from bots and/or other infected servers. Fail2Ban is an service than bans IP’s that try to crack your ssh/ftp server passwords by either the brute forcing or dictionary attack techniques. Fail2ban does this by scanning the logs of the configured services and then blocking them off using the linux Firewall.  When configuring an IP address can be blocked for a specified amount of time after a configured number of failed login attempts.

Installing Fail2Ban

You can download Fail2ban from sourceforge or if you have Ubuntu, install it through this command.

apt-get install fail2ban

Configuring Fail2ban

Fail2Ban is highly customizable,  and all the configuration files are stored in /etc/fail2ban

/etc/fail2ban/fail2ban.conf

You can also set the logging options through this file as well with the two parameters below.

  • loglevel – Sets the logging level
  • logtarget – The path of Fail2ban log
Anything done by fail2ban is logged in /var/log/fail2ban.log by default.

/etc/fail2ban/jail.conf

This is the main configuration file, you can define jails or applications that you want to secure here. Fail2Ban checks for installed applications and automatically configures the file for you. However, it’s a good practice to make sure that your configurations are proper.

In the DEFAULT section, it tells us that it will automatically block an IP that has five incorrect login attempts. It blocks the IP Addresses for a time period of 10 minutes (600 seconds).


[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 5

You can change the ban time to something longer if you have frequent attacks on your server, just remember the # is in seconds.  3600 for 1 hour for example.

Configuring different services in /etc/fail2ban/jail.conf

Fail2Ban has a huge array of configurations for different services like FTP,Mail Server, SQL etc. You can also add custom services if you want.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

  • port: port in which the service runs ( seen in /etc/services file )
  • filter: Specifies the filter to be used by the service to detect matches.
  • logpath: The log file that Fail2Ban constantly monitors to determine failed logins.
  • action: This tells Fail2Ban what to do when it finds an offender. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.

Restart Fail2Ban

After configuring Fail2Ban, restart it so that it reloads the new configuration file and secures your sever against brute force attacks.

/etc/init.d/fail2ban restart

Please remember that it only secures your server against brute force type attacks, always have a secure password and update your server in a timely fashion.