How to protect your Linux server with fail2ban

A stylized terminal window that runs on an Ubuntu-style Linux laptop.

With fail2ban, your Linux computer automatically blocks IP addresses that have too many connection failures. It’s self-regulatory security! We will show you how to use it.

Security Security Security

Duchess of Windsor, Wallis Simpson, he once said, “You can never be too rich or too thin.” We’ve updated this for our modern, interconnected world – you can never be too careful or too safe.

If your computer accepts incoming connection requests, such as Safe cover (SSH) connections, or acts as a web or email server, you need to protect it from brute force attacks and password guessing.

To do this, you will need to monitor connection requests that do not enter an account. If they fail to authenticate repeatedly in a short period of time, they should be prohibited from making further attempts.

The only way this can be practically achieved is to automate the entire process. With a little simple setup, fail2ban will manage the monitor, ban and override the ban for you.

fail2ban integrates with Linux firewall iptables. Enforce bans on suspicious IP addresses by adding rules to the firewall. To keep this explanation tidy, we are using iptables with an empty rule set.

Of course, if you are concerned about security, you probably have a firewall configured with a well-populated set of rules. fail2ban only add and remove your own rules—Your normal firewall functions will remain intact.

We can see our empty rule set using this command:

sudo iptables -L

RELATED: The beginner’s guide to iptables, the Linux firewall

Install fail2ban

Installing fail2ban it is simple in all the distributions we use to research this article. In Ubuntu 20.04, the command is as follows:

sudo apt-get install fail2ban

On Fedora 32, type:

sudo dnf install fail2ban

In Manjaro 20.0.1, we use pacman:

sudo pacman -Sy fail2ban

Fail2ban configuration

The fail2ban The installation contains a default configuration file called jail.conf. This file is overwritten when fail2ban it is updated, so we will lose the changes if we customize this file.

Instead, we’ll copy the jail.conf file to one called jail.local. By putting our configuration changes in jail.local, they will persist through updates. Both files are automatically read by fail2ban.

This is how the file is copied:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open the file in your favorite editor. We will use gedit:

sudo gedit /etc/fail2ban/jail.local

We will look for two sections in the file: [DEFAULT] Y [sshd]. However, be careful to find the actual sections. Those tags also appear near the top in a section that describes them, but that’s not what we want.

/etc/fail2ban/jail.local opened in a gedit window.

You will find the [DEFAULT] section somewhere around line 40. It’s a long section with lots of comments and explanations.

/etc/fail2ban/jail.local opened in a gedit window and scrolled to line 89.

Scroll down to line 90 and you will find the following four settings you need to know about:

  • ignoreip: A whitelist of IP addresses that will never be banned. They have a permanent card to get out of jail for free. The localhost IP address (127.0.0.1) is listed by default, along with its IPv6 equivalent (::1). If there are other IP addresses that you know should never be banned, add them to this list and leave a space between each one.
  • bantime: The duration for which an IP address is banned (the “m” stands for minutes). If you enter a value without an “m” or “h” (for hours), it will be treated as seconds. A value of -1 will permanently ban an IP address. Be very careful not to get permanently blocked.
  • search time: The amount of time within which too many failed connection attempts will result in an IP address being banned.
  • maxretry: The value of “too many failed attempts”.

If a connection is made from the same IP address maxretry failed connection attempts within the findtime period, are prohibited for the duration of the bantime. The only exceptions are the IP addresses in the ignoreip ready.

fail2ban puts IP addresses in jail for a specified period of time. fail2ban supports many different jails, each representing that the settings apply to only one type of connection. This allows you to have different settings for various types of connection. Or you can have fail2ban monitor only a chosen set of connection types.

You may have guessed it from the [DEFAULT] section name, but the settings we have seen are the default ones. Now, let’s look at the SSH jail configuration.

RELATED: How to graphically edit text files in Linux with gedit

Set up a jail

Prisons allow you to move connection types in and out of fail2ban's supervision. If the default settings do not match what you want the jail to apply, you can set specific values ​​for bantime, findtime, and maxretry.

Scroll down to line 280 and you will see the [sshd] section.

/etc/fail2ban/jail.local opened in a gedit window and scrolled to line 280.

This is where you can set values ​​for the SSH connection cage. To include this jail in the monitoring and prohibition, we have to write the following line:

enabled = true

We also write this line:

maxretry = 3

The default setting was five, but we want to be more cautious with SSH connections. We lower it to three, and then we save and close the file.

We add this jail to fail2ban's monitoring and overridden one of the default settings. A jail can use a combination of jail-specific and default settings.

Enabling fail2ban

So far we have installed fail2ban and I set it up. Now, we have to enable it to run as an autostart service. Then we need to test it to make sure it works as expected.

To allow fail2ban as a service, we use the systemctl command:

sudo systemctl enable fail2ban

We also use it to start the service:

sudo systemctl start fail2ban

We can check the status of the service using systemctl, too:

sudo systemctl status fail2ban.service

Everything looks good, we have a green light, so everything is fine.

Let’s see if fail2ban do you agree:

sudo fail2ban-client status

This reflects what we set up. We have enabled a single jail, called [sshd]. If we include the jail name with our command above, we can take a deeper look at it:

sudo fail2ban-client status sshd

This lists the number of faults and banned IP addresses. Of course, all stats are zero at the moment.

Testing our jail

On another computer, we will make an SSH connection request to our test machine and misspelt the password on purpose. You get three attempts to get the correct password on each connection attempt.

The maxretry The value will be activated after three failed login attempts, not three failed password attempts. Therefore, we have to type an incorrect password three times to fail the connection attempt.

Then we will make another connection attempt and enter the password incorrectly three more times. The first bad password attempt of the third connection request should be triggered fail2ban.

After the first wrong password on the third connection request, we don’t get a response from the remote machine. We get no explanation; we just have a cold shoulder.

You must press Ctrl + C to return to the command prompt. If we try one more time, we will get a different response:

ssh dave@ubuntu20-04.local

Previously, the error message was “Permission Denied”. This time, the connection is completely rejected. We are persona non grata. They have banned us.

Let’s see the details of the [sshd] jail again:

sudo fail2ban-client status sshd

There were three failures and one IP address (192.168.4.25) was banned.

As we mentioned earlier, fail2ban enforce prohibitions by adding rules to the firewall rule set. Let’s take another look at the ruleset (it was empty before):

sudo iptables -L

A rule has been added to the INPUT policy, which sends SSH traffic to the f2b-sshd chain. The rule in the f2b-sshd The chain rejects SSH connections from 192.168.4.25. We do not modify the default settings for bantimeTherefore, in 10 minutes, that IP address will be canceled and you will be able to make new connection requests.

If you set a longer ban duration (such as several hours), but want to allow an IP address to make another connection request sooner, you can release it sooner.

We write the following to do this:

sudo fail2ban-client set sshd unbanip 192.168.5.25

On our remote computer, if we make another SSH connection request and enter the correct password, we will be able to connect:

ssh dave@ubuntu20-04.local

Simple and effective

The simplest is usually better and fail2ban it is an elegant solution to a complicated problem. It requires very little configuration and hardly imposes an operational overhead, neither for you nor for your computer.

Leave a Reply