Today, with the advancement of technology, the risks of cyber attacks have increased and server security has become more important than ever. Undoubtedly, security is the most important factor for all users who are active on the Internet and cannot be ignored. Everyone is somehow struggling to protect their data from cyber-attacks and prevent hackers from infiltrating and misusing their important information.
One of the best software to protect and secure the Linux server against attacks and threats is Fail2Ban. By activating this software and setting specific rules, you can block source addresses that try to infiltrate and access your confidential and sensitive information.
Although configuring a strong firewall is an effective way to secure Linux servers, it is better to install and configure the Fail2Ban software as a complement to the firewall so that they can complete and improve each other’s performance.
In this article, we will introduce you to Fail2Ban and teach you how to install and set up Fail2Ban on a Linux server so that you can benefit from this wonderful tool as a protective layer on your Linux server and have peace of mind.
Getting to know Fail2Ban
Users usually prefer Linux operating system because of the great security it offers compared to other operating systems like Windows and macOS etc. Especially organizations for whom security is a priority or businesses for whom server security is very important, usually choose Linux VPS for hosting. But buying a Linux VPS does not solve all security concerns. With the advancement of technology, attacks and security threats have increased, so you need to make your Linux VPS more secure with practical tools and layers of protection.
Usually, Linux users activate SSH to increase security against security threats, and this action is very useful to protect your server from threats, but if you look at the login history of your Linux server, you will be surprised by the large number of IPs that were trying to enter the Linux server through SSH.
In this situation, if you have not programmed a mechanism for such attempts, your system will be vulnerable to brute-force attacks because most likely a script will try to enter your server by testing the username and password. Therefore enabling SSH alone is not enough if you want to protect your Linux server against any kind of attack including DoS, DDoS, and brute-force attacks; you need to benefit from strong protection tools such as Fail2Ban in addition to enabling SSH and configuring a strong firewall.
Fail2Ban is a free, open-source log analysis tool that helps protect your Linux server from unauthorized login attempts, brute-force attacks, and security threats.
Fail2Ban is an interface software for checking system logs; by detecting repeated unsuccessful attempts to log into your Linux system, it automatically adds new firewall rules to your IP tables and Blocks the IP of the source trying to login ( for the predetermined or unlimited duration).
Fail2ban actually checks the log files and looks for the IP that intends to infiltrate the system and disturb the security of the Linux server, and after finding it, adds that IP to the blacklist of your firewall temporarily.
Although, Fail2Ban works based on its default settings, it is a flexible and adjustable software that allows you to set new rules according to your needs.
Fail2Ban configuration reduces security threats and attacks to Linux servers and notifies server administrators by email when an attack is detected.
installing and configuring Fail2Ban on a Linux server
Due to its popularity, the widely used Fail2Ban software is fortunately available in the repositories of all Linux distributions, and you can easily install it from the repositories of different Linux distributions.
Fail2Ban installation prerequisite
To install Fail2Ban on a Linux server, you must have root or sudo user permissions. and connect to your server through an SSH client. Also, before starting to install Fail2Ban, make sure that the system is up-to-date and the EPEL repository is installed.
Installing Fail2Ban on Ubuntu
If you are using the Ubuntu operating system on a Linux server, run the following command to update the Ubuntu system repository and softwares:
apt-get update && apt-get upgrade
Enter the following command to install the Fail2Ban package on Ubuntu:
apt-get install fail2ban
To enable email support services for Fail2Ban, type the following command and then press the Enter button.
apt-get install sendmail
To check the status of the Fail2Ban service, use the following command:
sudo systemctl status fail2ban
Installing Fail2Ban on CentOS
To be able to benefit from fail2Ban software on CentOS, go through the following process.
To access and download Fail2Ban in the Extra Packages for Enterprise Linux (EPEL) repository, run the following command:
sudo yum install epel-release
To install Fail2Ban on CentOS, execute the following command and press Enter.
sudo yum install fail2ban
To activate and start the Fail2Ban service, type the following commands:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Installing Fail2Ban on Debian
Follow the steps below to install Fail2Ban on Debian.
First, update the Debian system repository using the following command and press Enter after entering the following command.
apt-get update && apt-get upgrade –y
Enter the following command to install Fail2Ban:
apt-get install fail2ban
To use the email support service for Fail2Ban, you need to install Sendmail via the following command:
apt-get install sendmail-bin sendmail
To ensure that the Fail2Ban service is installed and active, check its status by entering the following command:
systemctl status fail2ban
Installing Fail2Ban on Fedora
You can install Fail2Ban on your Fedora system by following the instructions below:
Start the installation process by updating your system repository:
Then press the Enter button.
Install Fail2Ban on Fedora by entering the following command:
dnf install fail2ban
Run and activate the Fail2Ban service using the following commands:
systemctl start fail2ban systemctl enable fail2ban
If you use Sendmail on your system, type the following commands to activate and run the Sendmail service:
systemctl start sendmail systemctl enable sendmail
How to configure Fail2Ban
After you install fail2Ban, it’s time to configure it, for which you need to use the files fail2ban.local and jail. local.
Fail2Ban has two main configuration files:
- /etc/fail2ban/fail2ban.conf: This file serves as the operational configuration of the Fail2Ban daemon and it includes log level, log file, socket, and PID settings.
- /etc/fail2ban/jail.conf: the file that controls Fail2Ban behavior, which allows setting things like default ban time, number of times before banning an IP, whitelisting IPs, mail sending information, etc.
Editing default settings using fail2ban.local
Now that you are familiar with the main Fail2ban configuration files, keep in mind that if you make changes to the files, we recommend that you make a copy of fail2ban.conf with the name .local to override the default configuration profile. The reason for copying the fail2ban.conf file is that the default conf files are overwritten during updates and there is a possibility of losing settings.
Follow the steps below to make changes to the copy name and settings of the fail2ban.local file:
Enter the following command to rename the initial configuration file to fail2ban. local:
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Note: Do not wait for the output after entering the command because it will not provide the output.
Then run the following command and press the Enter button to open the file:
sudo nano /etc/fail2ban/fail2ban.local
As a result, you will be able to easily make changes in the content of the file.
To use options and Values, enter the following commands:
Use the following command to get the report:
loglevel = INFO
The report you receive has different levels, which we will explain below:
CRITICAL: This is an emergency situation that requires immediate attention.
ERROR: Displays a problem that is not as important as CRITICAL.
WARNING: Conditions that may be dangerous.
NOTICE: A common but important condition.
INFO: You can skip INFO messages.
DEBUG: These are debug-level messages.
To get output about registration actions on a specifically targeted socket, enter the following command:
logtarget = STDERR
which includes the following:
FILE: Its default output is to file socket.
SYSLOG: Its output is a text report file.
STDERR: Its output is the standard error.
STDOUT: standard output.
To automate or set the Syslog socket as File, do the following command and this is for the condition that you have set SYSLOG for the log target.
syslogsocket = auto
With considering /var/run/fail2ban/fail2ban.sock as the default location, enter the following command to set the socket file to communicate with the daemon:
socket = /var/run/fail2ban/fail2ban.sock
With considering /var/run/fail2ban/fail2ban.pid as the default location, enter the following command to set the PID file to store the Fail2Ban server process ID:
pidfile = /var/run/fail2ban/fail2ban.pid
Editing the main configuration file settings using jail.local
As we mentioned earlier, the jail.conf file is another configuration file for Fail2Ban that contains filters, and jails, and be careful not to directly change the settings of this file because it includes the basic rules of the software. we suggest that do not use the less command to read this file because it may be incomprehensible to you. conf file provides a more detailed and specific report.
It is better to create a local file with the name of jail.local that contains a copy of the original file to be used to set and customize actions and filters such as ignoreip, bantime, findtime, maxretry, and backend.
The jail.conf file provides a grouping of services that has a [Default] section that is provided for all services and then displays the various services with their respective settings. So you can see sections like [sshd], [apache-auth], [squid], etc.
Note: inside each parenthesis specifying the service.
In the following, we will give explanations to better understand the output you receive:
For example, if the comments are deleted and the default section is presented as follows:
[DEFAULT] ignorecommand = bantime = 10m findtime = 10m maxretry = 5 backend = auto usedns = warn logencoding = auto enabled = false mode = normal filter = %(name)s[mode=%(mode)s] destemail = root@localhost sender = root@ mta = sendmail protocol = tcp chain = port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = iptables-multiport banaction_allports = iptables-allports action_abuseipdb = abuseipdb action = %(action_)s
With the help of this feature, we specify trusted IP addresses, CIDR masks, and DNS hosts so that Fail2Ban ignores them and allows incoming traffic from these specific sources to pass.
In this section, you are not limited in adding the number of IPs. You can add desired IPs to this section by leaving a space between them.
This field is used to specify the time a client is prohibited from re-logging after a failed authentication. The time period for determining the ban in this parameter is measured in seconds and usually, 10 or 600 minutes is defined as the default for this parameter. In the above output, the ban duration is specified as 10 minutes by default.
The length of time an IP can try to log in is set in this section. If the host fails in authentication in this time period(according to maxretry settings), the desired IP will be blocked. In the output above, findtime is set for 10 minutes, that is, if a specific IP enters the Login page at 2 o’clock and tries to log in until 2:10 and fails, its IP will be blocked.
This feature is used together with findtime. In this way, you define the maximum number of login attempts in the set time window, which is considered 5 times by default.
Specify the backend configuration for the modification file with the help of this feature. Usually, the default value is selected for this section, but in Fedora and CentOS, it requires to be systemd.
As you can see in the output, the warn setting in this section searches for the host name using reverse-DNS and blocks them through the host name. Note that if you set this field to No, IPs will be banned instead of host names.
This section must be configured to send alerts to the specified email address.
Specifies the name of the sender in the email notification.
Email notifications are sent through the Mail Transfer Agent.
Using the /etc/fail2ban/action.d/iptables-multiport.conf file, this option sets the action to be taken after a maximum number of failed retries.
A type of traffic that stops after the ban.
We also provide the following values that you can use in your settings:
Pynotify: Monitors file system changes in real-time and requires a file change monitor to be installed.
gamin: it is Similar to pynotify, except that the Gamin tool must be installed.
Polling: It does not need external libraries and works according to the polling algorithm.
System: Accesses the systemd journal using the systemd python library.
auto: Uses the previous values of pyinotify, gamin, and polling, respectively.
You can also use the following to apply additional settings including SSH and iptables settings in the jail.local file:
banaction: Specifies the default performance when the maxretry threshold is reached. If using a firewall, set the value to firewallcmd-ipset.
banaction_allports: With banaction allports you can group and limit IP addresses per port. Paste the firewallcmd-ipset value for this section.
Port: In this section, note that the Adjusted service is compatible with the value. If you are using the default port, set the value to the service name, otherwise, enter the port number you are using in this field.
Filter: The failregex information needed to analyze the log files is found in the filename, which is stored in the /etc/fail2ban/filter.d directory.
What is the reason for using Fail2Ban?
Fail2Ban is a software for improving the security of Linux servers that checks server log files to identify and block IPs that try to infiltrate and disrupt server security. Fail2Ban software is a solution to secure the Linux server against brute force attacks and unauthorized attempts to enter the system.
What are the main Fail2Ban configuration files?
/etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf are the two main configuration files of Fail2Ban software, which include the settings and main rules of the software. to make changes in these files, it is better to make a local copy of them and save the copy file with the name conf. Then make the necessary changes to the copy file.
Is Fail2Ban able to block all ports?
Fail2Ban is a powerful and customizable tool. Therefore, you can block all ports if the configuration is changed, but in general, it can Block ports specified in the jail.Conf.
How is the Fail2Ban framework?
Fail2Ban is a framework to prevent infiltration and brute force attacks, which is designed based on the Python programming language. Fail2Ban can run on POSIX systems with a local interface installed to a firewall or packet control systems such as iptables or TCP Wrapper.
Fail2Ban is software to prevent brute-force attacks. Fail2ban is responsible for monitoring the log files in order to identify the IPs that intend to infiltrate the system and disrupt the server’s security and block them. So if you want to secure your Linux server against security attacks and threats, Fail2Ban is the best solution.
In this article, we taught how to install and configure Fail2Ban on Ubuntu, Debian, Fedora, and CentOS operating systems. We have explained how to edit the settings of the two main configuration files, fail2ban.local and jail.local. We hope that by using our tutorial, you were able to equip your Linux server with the powerful Fail2Ban tool and use its features to improve the security of your Linux server.
If you have any questions about any part of the article, share them with us in the comments section.