Fail2ban is an open-source tool that provides a simple way to protect your server from brute-force attacks. It does this by monitoring log files and banning any IP addresses that repeatedly fail authentication attempts. This article will guide you through the process of installing and configuring fail2ban on a Linux server on most known distributions (CentOS, Ubuntu, RedHat, …)
Step 1: Install Fail2ban
The first step is to install fail2ban on your server. The installation process will vary depending on your Linux distribution. Here are the commands for a few popular distributions:
$ sudo apt-get update $ sudo apt-get install fail2ban
$ sudo yum update $ sudo yum install epel-release $ sudo yum install fail2ban
Step 2: Configure Fail2ban
The fail2ban configuration files are located in the /etc/fail2ban/ directory. The main configuration file is jail.conf, which contains the default configuration for all services that fail2ban can monitor. However, you should not modify this file directly. Instead, create a new configuration file in the /etc/fail2ban/jail.d/ directory to override the default settings.
For example, let’s say you want to protect your SSH service. You can create a new configuration file called sshd.conf in the /etc/fail2ban/jail.d/ directory and add the following content:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 86400
Let’s break down the meaning of each line:
- [sshd]: The name of the jail. This should match the name of the service you want to protect.
- enabled = true: This enables the jail.
- port = ssh: The port on which the service is running. In this case, it’s the SSH port.
- filter = sshd: The name of the filter file, which contains the regular expressions used to detect failed login attempts.
- logpath = /var/log/auth.log: The path to the log file for the service.
- maxretry = 5: The number of failed login attempts allowed before banning the IP address.
- bantime = 86400: The amount of time (in seconds) the IP address should be banned.
Step 3: Test Fail2ban
Once you have created your configuration file, you can test fail2ban by trying to log in to your server multiple times with the wrong credentials. After the specified number of failed attempts, your IP address should be banned for the specified amount of time. You can verify this by running the following command:
$ sudo fail2ban-client status sshd
This will display the status of the sshd jail, including the banned IP addresses.
Step 4: Monitor Fail2ban
Fail2ban will run automatically in the background, monitoring your log files for failed authentication attempts. However, it’s a good idea to monitor fail2ban to make sure it’s working correctly. You can use the following commands to view fail2ban logs:
$ sudo journalctl -u fail2ban $ sudo tail -f /var/log/fail2ban.log
The first command will display the systemd logs for fail2ban, while the second command will display the fail2ban log file in real-time.
Fail2ban is a powerful tool that can help protect your server from brute-force attacks. By following the steps in this article, you can install and configure fail2ban on your Linux server. Remember to create a configuration file for each service you want to protect, and monitor fail2ban to make sure it’s working correctly.