When it comes to securing a server from malicious bruteforcers, Fail2Ban is an extremely powerful tool and my goto application on every server I setup. While that position was once held by denyhosts, as of Ubuntu 14.04, denyhosts is no longer in the official ubuntu repo and so is recommend that it no longer be used… Before we get into how to configure Fail2Ban, lets take a look at how it works….
Fail2Ban works by constantly scanning your log files and takes predetermined actions based on what is set in its configuration file. For example, we can set Fail2Ban to ban the IP Address of anyone who tries and fails to login 3 or more times. To do this, every few seconds, Fail2Ban will scan the server’s access log and keep and record of every failed attempt. When the limit of 3 is reached, it will immedieately set a rule in the built in iptables firewall for said ip address, effectively rejecting it from all further communication with the server.
Step 1 – Installing Fail2Ban
To install fail2ban we need to run 3 commands, the first to update our apt-cache, the second to upgrade any old packages in our system and the third to install Fail2Ban itself
apt-get update apt-get upgrade apt-get install fail2ban
Now that it is installed let us make a copy of the configuration file (so that the original can serve as a template in the future) and open it in our editor of preference
Step 2 – Configure Fail2Ban
cd /etc/fail2ban/ cp jail.conf jail.local && nano jail.local
By default fail2ban comes preconfigured with a great set of options so we will only be making a few changes. I also highly recommend you read though the config file to see what fail2ban is capable of in case you wish to tweak it more in the future.
Find and change in the open config file to match the following
# add your ip to exceptions list so you dont accidentally lock youself out ignoreip = 127.0.0.1/8 192.168.1.2 #increase bantimee to an hour bantime = 3600 ..... [ssh] enabled = true port = 4444 ; If you are using a custom ssh port, change this to your chosen port filter = sshd logpath = /var/log/auth.log maxretry = 6
Remember, ctrl + x to close file, and Y to save
Step 3 – Apply Changes
We finish up by restartting the fail2ban service so that our changes come into effect
service fail2ban restart
Final Notes: fail2ban consists of alot more features such as sending an email whenever an ip is banned or using custom iptable templates but those (once again, in my opinion) are not necessary as the preset config is, for the average server, near perfect.
Now that your server is secure let us move on to Setting up a LAMP Server or a LEMP Server on Ubuntu/Debian.