When you purchase or set up a linux virtual server, you also need to start to thinking about the security issues as soon as possible. Everyday attackers create new ways and tactics to compromise the servers. One of the most used attack types is Brute Force. This attack type is based on the trials of passwords and users to find the right one. As thousands of trials done just for one service and username, this attack will cause high server resource usage uselessly.
Fail2ban is a very useful IP blocking tool which is written Python language. It follows up your system logs; if there are numerous unsuccessful password trials on one of the services (smtp,ssh,ftp, and ex.), it will take the required action. According to your setup, it will block the concerning IP or IP address range to Access your server for permanently or temporary.
So because of that, it is one of the important security tools which you need install asap after you rent a server. Let’s continue for installation.
Installation
Fail2ban can be easily install by the help of yum packages. So before starting to installation, we also recommend you update your yum too. For updating the yum first:
yum update
Than we can just continue to install fail2ban:
yum install fail2ban
The installation will take short time and after it is successfully installed, we may move to create and edit the config file for tuning operation. You can find the settings file under /etc/fail2ban/ folder.
Meanwhile, we prefer to use nano text editor on Linux to edit the config files. If it isn’t yet installed on CentOS 7 installation, please just run this command to install.
yum install nano
If you don’t have a one you need to create a new file which is named jail.local under /etc/fail2ban folder. You can easily create it with the command below.
cd /etc/fail2ban
nano jail.local
Now you can copy&paste or edit your settings according the lines below. Don’t forget save the file while closing it.
[DEFAULT]
# The parameters entered under default is applied for all rules.
# Here for SSH we determine the duration as 600 seconds, if we don’t enter any value under sshd it will be accepted as 3600 seconds which means 1 hour.
bantime = 3600# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport[sshd]
enabled = true
maxretry = 3
bantime = 600
As you can see, now we determine that after 3 wrong entry trials on the ssh service, fail2ban will ban the concerning IP addresses for 10 minutes. If you want to ban concerning ip for a day; you need to enter the value of 86400 instead of 600.
You can follow up Fail2ban logs under /var/log/fail2ban.log file.
As fail2ban consumes some memory on your server, we advise you to put long ban durations. Because every operation will take an addtional memory space.
Make It Start Every Time
Fail2ban is a service like http,ftp,smtp . You need to start it every time after you start your server. For enabling auto restart after every boot, you need to enter the codes below.
systemctl enable fail2ban
systemctl start fail2ban
Now we enabled this service for every startup and started the fail2ban service.
You can check the status of fail2ban service with :
fail2ban-client status
Following Up
We can follow the IP bans according to the rules and services. To follow up which IP addresses is banned by rule, you can use the code below:
fail2ban-client status [rule name]
Sample Usage:
fail2ban-client status sshd
To see every IP address which is blocked at your server, you can use this command:
iptables -L -n
Sometimes your own IP address can be blocked by your system. If you want to prevent that, you can edit your jail.conf and add lines below the under [DEFAULT].
[DEFAULT]
# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.ignoreip = youripadress 192.168.1.0/24 8.8.8.8
Here 192.168.1.0/24 8.8.8.8 are example values; you can remove them on your own setting file.
If you ban an IP address by fault. For unblock it you can use the code below.
iptables -D INPUT -s ip_address -j DROP
Conclusion
Fail2ban is an important tool which needs to be installed on your server. But it will not secure all the points on your server, so don’t forget to use other tools and services to improve the security and performance. You can find much more detailed information about fail2ban from projects website.
Leave A Comment?