Fail2Ban

How to install and configure Fail2Ban

Fail2ban is a popular intrusion prevention tool that helps protect your server from unauthorized access by automatically blocking IP addresses that exhibit suspicious behavior, such as repeated failed login attempts. Here’s how you can install and set up Fail2ban on a Linux-based server:

Update Package Lists:

Before installing any new software, updating the package lists on your server is a good practice. Open a terminal or SSH into your server and run:

sudo apt update

Install Fail2ban:

Use the package manager to install Fail2ban. For example, on Ubuntu/Debian, run:

sudo apt install fail2ban

Configuration:

Once installed, Fail2ban’s main configuration file is usually located at /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local. The jail.local file is preferred because it won’t be overwritten during package updates. You can copy the default configuration to jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Adjust Banning Settings:

Open the jail.local file in a text editor:

sudo nano /etc/fail2ban/jail.local

In this file, you can customize various parameters related to banning. Adjust parameters like bantime (time in seconds for which an IP is banned), maxretry (maximum number of failed attempts), and findtime (time window to consider for failed attempts). Configure different sections based on services like SSH, Apache, etc.

Enable Services:

The Fail2ban configuration contains various “jails” for different services. Make sure the jails you want to use are enabled. For example, to enable the SSH jail, find the [sshd] section in the configuration and set enabled = true.

Start and Enable Fail2ban:

Start the Fail2ban service and enable it to start at boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check Status and Logs:

You can check the status of Fail2ban with:

sudo fail2ban-client status

Additionally, Fail2ban logs are usually found in /var/log/fail2ban.log.

That’s it! Fail2ban is now set up to monitor your system’s logs, identify suspicious behavior, and block IP addresses exceeding the defined thresholds. Make sure to regularly review the logs to ensure that legitimate users are not being accidentally blocked.

Remember that while Fail2ban is a valuable tool, it should be part of a comprehensive security strategy that includes strong authentication methods, regular updates, and other security measures.

Avatar
Sven de Windt
Systems Administrator

Systems engineer with an intrest in automation

comments powered by Disqus