Brute force attacks are simple and dependable. Attackers use a machine to do their work, such as trying various usernames and passwords until they find one that works. The best defense is to detect and neutralize a brute force attack in progress: once attackers gain access to the network, they become much more difficult to track down.
Fail2Ban, a security tool that bans IP addresses after a certain number of failed ssh login attempts, can protect your ssh and other services. This page shows how to install and configure Fail2Ban on a variety of Linux servers.
Install Fail2Ban on CentOS
To secure your server, take these steps to set up and configure Fail2Ban:
- Using ssh, connect to your CentOS server
- Update your VPS:
yum -y update
- Enable and install the EPEL repository by running:
yum install epel-release
- Install Fail2Ban using the yum command, now that you've enabled the EPEL repo:
yum install fail2ban
- Run the following command to enable the Fail2Ban protection service at startup time, using the systemctl command:
sudo systemctl enable fail2ban
- Fail2Ban should now be configured.
Install Fail2Ban on AlmaLinux / Rocky Linux
To secure your server, take these steps to set up and configure Fail2Ban:
1. Using ssh, connect to your AlmaLinux or Rocky Linux server.
2. Update your VPS:
sudo dnf -y update
3. Enable and install the EPEL repository by running:
sudo dnf -y install epel-release
4. Install Fail2Ban using the yum command, now that you've enabled the ELEP repo:
sudo dnf -y install fail2ban
5. Run the following command to enable the fail2ban protection service at startup time, using the systemctl command:
sudo systemctl enable fail2ban
Fail2Ban should now be configured.
Install Fail2Ban on Ubuntu / Debian
To secure your server, take these steps to set up and configure Fail2Ban:
1. Using ssh, connect to your Ubuntu or Debian server.
2. Update your VPS:
apt-get update
Fail2Ban is included by default in the official Ubuntu package repository, unlike RHEL-based distributions. The command to install Fail2Ban is:
apt-get install fail2ban
The following command to clear your repository cache:
apt-get clean
Run the following command to enable the Fail2Ban protection service at startup time, using the systemctl command:
sudo systemctl enable fail2ban
Fail2Ban should now be configured.
Configure Fail2Ban settings
1. Open the Fail2Ban configuration file, with your favorite text editor.
sudo vi /etc/fail2ban/jail.local
2. Update/append as follows:
[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
# Call iptables to ban IP address
banaction = iptables-multiport
# Enable sshd protection
[sshd]
enabled = true
3. Save and close the file. After that, start or restart the service.
Fail2Ban filters
1. In /etc/fail2ban/filter.d/, you'll discover a number of filters/jails for Fail2Ban. You can take a look using a command like:
ls -lah /etc/fail2ban/filter.d
You will see an overview. Choose a name for the authentication filter, such as sshd.conf
2. Open the jail file with your favorite text editor:
sudo vi /etc/fail2ban/filter.d/sshd.conf
3. You may now use the following syntax to add the jail filter:
[jailname]
enabled = true
filter = jailname
logpath = /var/log/yourlogfile
Jailname: Replace this name with one of your choosing so that you can readily recognize it while checking Fail2ban's status.
enabled: This value must always be true or else, your jail will be deactivated.
filter: In this field, type the name of the jail you want to visit. If you choose sshd.conf in step 1, for example, type sshd here.
logpath: This is where you inform Fail2ban which file to scan for assaults on your VPS.
What are the steps to start, stop, and restart the Fail2Ban service?
You can use the following systemctl commands to interact with the Fail2Ban service:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban
Finding status of failed and banned IP address
sudo fail2ban-client status
sudo fail2ban-client status sshd
The current state of the log file containing the password failure report.
Comments
Article is closed for comments.