How to defend a Linux server against a Brute-Force Attack

Brute force attacks are simple and dependable. Attackers use a machine to do their work, such as trying various usernames and passwords until they find one that works. The best defense is to detect and neutralize a brute force attack in progress: once attackers gain access to the network, they become much more difficult to track down. 

Fail2Ban, a security tool that bans IP addresses after a certain number of failed ssh login attempts, can protect your ssh and other services. This page shows how to install and configure Fail2Ban on a variety of Linux servers.

Install Fail2Ban on CentOS

To secure your server, take these steps to set up and configure Fail2Ban:

  1. Using ssh, connect to your CentOS server 
  2. Update your VPS: 
    yum -y update 
  3.  Enable and install the EPEL repository by running: 
    yum install epel-release 
  4. Install Fail2Ban using the yum command, now that you've enabled the EPEL repo: 
    yum install fail2ban 
  5. Run the following command to enable the Fail2Ban protection service at startup time, using the systemctl command:
     sudo systemctl enable fail2ban 
  6. Fail2Ban should now be configured.

Install Fail2Ban on AlmaLinux / Rocky Linux

To secure your server, take these steps to set up and configure Fail2Ban: 

1. Using ssh, connect to your AlmaLinux or Rocky Linux server.

2. Update your VPS:

sudo dnf -y update 

3. Enable and install the EPEL repository by running: 

sudo dnf -y install epel-release 

4. Install Fail2Ban using the yum command, now that you've enabled the ELEP repo: 

sudo dnf -y install fail2ban 

5. Run the following command to enable the fail2ban protection service at startup time, using the systemctl command:

sudo systemctl enable fail2ban

Fail2Ban should now be configured.

Install Fail2Ban on Ubuntu / Debian

To secure your server, take these steps to set up and configure Fail2Ban: 

1. Using ssh, connect to your Ubuntu or Debian server. 

2. Update your VPS:

apt-get update

Fail2Ban is included by default in the official Ubuntu package repository, unlike RHEL-based distributions. The command to install Fail2Ban is:

apt-get install fail2ban

The following command to clear your repository cache:

apt-get clean

Run the following command to enable the Fail2Ban protection service at startup time, using the systemctl command:

sudo systemctl enable fail2ban

Fail2Ban should now be configured.

Configure Fail2Ban settings

1. Open the Fail2Ban configuration file, with your favorite text editor.

sudo vi /etc/fail2ban/jail.local

2. Update/append as follows: 

[DEFAULT] 

# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400 

# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3 

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3

# Call iptables to ban IP address
banaction = iptables-multiport

# Enable sshd protection
[sshd]
enabled = true 

3. Save and close the file. After that, start or restart the service.

Fail2Ban filters

1. In /etc/fail2ban/filter.d/, you'll discover a number of filters/jails for Fail2Ban. You can take a look using a command like:

ls -lah /etc/fail2ban/filter.d 

You will see an overview. Choose a name for the authentication filter, such as sshd.conf 

2. Open the jail file with your favorite text editor: 

sudo vi /etc/fail2ban/filter.d/sshd.conf

3. You may now use the following syntax to add the jail filter:

[jailname]
enabled = true
filter = jailname
logpath = /var/log/yourlogfile
Jailname: Replace this name with one of your choosing so that you can readily recognize it while checking Fail2ban's status.
enabled: This value must always be true or else, your jail will be deactivated.
filter: In this field, type the name of the jail you want to visit. If you choose sshd.conf in step 1, for example, type sshd here.
logpath: This is where you inform Fail2ban which file to scan for assaults on your VPS. 

What are the steps to start, stop, and restart the Fail2Ban service?

You can use the following systemctl commands to interact with the Fail2Ban service:

sudo systemctl start fail2ban 
sudo systemctl stop fail2ban 
sudo systemctl restart fail2ban 
sudo systemctl status fail2ban

Finding status of failed and banned IP address

sudo fail2ban-client status 
sudo fail2ban-client status sshd 

blobid0.png

The current state of the log file containing the password failure report. 

Was this article helpful?
3 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more