TABLE OF CONTENTS
Fail2Ban scans log files and bans IP addresses that make too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache Web server logs.
How to: Install and Configure Fail2Ban
Downloading and Installing Fail2Ban
You can use the built in package managers to install Fail2Ban.
1. Ubuntu/Debian
apt-get install fail2ban
2. CentOS
yum install epel-release yum install fail2ban fail2ban-systemd
Configuring Fail2Ban Settings
Fail2Ban will operate with default settings, but there are certain settings which may be of interest to edit.
Instead of editing the /etc/fail2ban/jail.conf file directly we will make a copy /etc/fail2ban/jail.local
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Note: The .local file settings override the .conf ones.
To open the file using nano enter the command
nano /etc/fail2ban/jail.local
A typical jail configuration will look like:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3
There are a few important settings to take note of:
- Ignoreip IP addresses Fail2Ban will ignore. If you connect from a static IP address you can add your own here to prevent getting locked out on failed attempts.
- Bantime The duration in seconds an IP address will be banned for.
- Findtime The amount of time a number of failed connections will result in a ban.
- Maxretry The number of retries allowed during the defined FIndtime to determine is an address is banned.
Configure these settings to your desired values to customize how your Fail2Ban operates.
For CentOS we need to create the local jail configuration
1. Create a local jail config for sshd
nano /etc/fail2ban/jail.d/sshd.local
2. Apply the settings
[sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
Note: Make sure you restart the Fail2Ban service for configuration changes to take effect.
1. Ubuntu/Debian
service fail2ban restart
2. CentOS
systemctl restart fail2ban
Operating Fail2Ban
Now that Fail2Ban is up and running there are a few useful commands to be aware of. Fail2ban uses fail2ban-client for most operations.
1. To check to see which jails are running
fail2ban-client status
2. To check the ssh jail status and get a list of banned IPs
Ubuntu/Debian
fail2ban-client -v status ssh
CentOS
fail2ban-client -v status sshd
3. You can also check iptables for a list of banned IPs
iptables -L -n
4. To remove a banned IP from the ssh jail
Ubuntu/Debian
fail2ban-client set ssh unbanip IPADDRESS
CentOS
fail2ban-client set sshd unbanip IPADDRESS
5. To manually ban an IP
Ubuntu/Debian
fail2ban-client set ssh banip IPADDRESS
CentOS
fail2ban-client set sshd banip IPADDRESS
Note: Refer to the Fail2Ban manual pages for more detailed command information
Ubuntu/Debian
man fail2ban-client man fail2ban-server
CentOS
fail2ban-client --help fail2ban-server --help
Viewing Log Files
It can be useful to view the log files to track failed login attempts.
1. Ubuntu/Debian
cat /var/log/auth.log | grep 'Failed password'
2. CentOS
cat /var/log/secure | grep 'Failed password'
Now you have the tools to customize and use Fail2Ban to prevent brute force logins on your VPS!
For additional resources on specifics of using Fail2Ban, please consult Fail2ban Support and Community reference material:
Join our Private Discord Chat to chat with, as well as find community assistance from other Verified SkySilk Users: https://invite.gg/SkySilk
CLICK TO DEPLOY AN UBUNTU LINUX VPS