Fail2ban is a tool that is used to protect Linux-based machines from automated attacks by improving their security. It monitors the logs for any malicious activity and allows the user to temporarily or permanently block remote IP addresses

This how-to guide will explain how to install, configure and set up Fail2ban on a Debian 11 based system.

How to install Fail2ban on Debian 11

Fail2ban is available in the default repository of Debian 11, so it can easily be installed by using the default package manager of Debian:

sudo apt install fail2ban -y  

After successful installation, the Fail2ban service should start automatically. You can verify this by running the command:

sudo systemctl status fail2ban 

If the service is not active on your system, then you can use the following commands to starts and enable it:

sudo systemctl start fail2ban 
ssudo systemctl enable fail2ban 

How to configure Fail2ban on Debian 11

Fail2ban comes with two different configuration files which are located in the /etc/fail2ban directory. These config files have a basic configuration that should not be modified as these files may be overwritten when a package update arrives.

We can use a separate .local file as a configuration file to avoid any future hassle. So we will make a local config file by copying the jail.conf file:

sudo cp /etc/fail2ban/jail.{conf,local} 

Now, open the newly created file in a text editor:

sudo nano /etc/fail2ban/jail.local 

Here you can update the settings according to your needs. You can add an ignoreip directive to ignore/whitelist IP addresses from ban. Here I have listed two different IP addresses as examples. You can put any IP address that you want to whitelist:

ignoreip = 127.0.0.15/8  192.168.1.2/24

The bantime directive can be used to set a duration of time for which an IP address will remain banned. We can use a suffix like m,d to specify the unit of time which by default is in seconds.

bantime = 120m

The findtime directive specifies the duration of time for the number of failures before a ban is placed. If Fail2ban is going to ban an IP after 4 failed attempts, the findtime directive defines the time interval in which the failures must occur.

findtime = 2m

The maxretry is used to define the number of failed attempts before an IP gets blacklisted.

maxretry = 5

After making all the necessary changes, you can simply just save and save the config file.

Now restart the service to let the changes take effect:

sudo systemctl restart fail2ban.service  

Conclusion

Fail2ban allows us to configure our system in a way that it becomes more secure against brute attacks as well as other malicious activities. It protects our system by checking the logs and blacklisting IP addresses that are suspicious. These security measures are essential, especially for systems that are accessible on public networks. In this article, we learned to install, configure and set up Fail2ban on Debian 11.

The post How to Install and Configure Fail2ban on Debian 11 appeared first on TecAdmin.

This tutorial help you to install Fail2ban on a Ubuntu 20.04 LTS Linux systems. Also provides you initial configuration with protect SSL using fail2ban.

Prerequisites

You must have shell access to Ubuntu 20.04 system with sudo privileged account.

Step 1 – Installing Fail2ban

Fail2ban Debian packages are available under the default apt repositories. You just need to update Apt cache and install fail2ban debian package on your system.

Open a terminal and type:

sudo apt update 
sudo apt install fail2ban -y 

After successful installation, make sure service is started.

sudo systemctl status fail2ban 

Make sure service is active and running.

Step 2 – Initial Fail2ban Configuration

Fail2ban keeps configuration files under /etc/fail2ban directory. The jail.conf file contains a basic configuration that you can use to create a new configuration. Fail2ban uses a separate jail.local file as configuration to avoid updates of jail.conf during packages updates.

So create a copy of the configuration file with name jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 

Next edit jail.local configuration file in a text editor.

sudo vim /etc/fail2ban/jail.local 

Update the initial settings under the [DEFAULT] section.

• ignoreip – A list of ip address to ignore from ban by the Fail2ban.
  

  [DEFAULT]
  
  ignoreip = 127.0.0.1/8 192.168.1.0/24

• bantime – is the number of seconds that a host is banned.
  

  bantime = 60m

• findtime – A host is banned if it has generated “maxretry” during the last “findtime” seconds.
  

  findtime = 5m

• maxretry – is the number of failures before a host get banned.
  

  maxretry = 5

In the next section, you can secure the system services to

Step 3 – Protect SSH/SFTP

After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=info@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3

Step 4 – Protect FTP

Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

Step 5 – Manage Fail2ban Service

After making all the changes save your file and restart Fail2ban service using the following command.

sudo systemctl restart fail2ban.service 
sudo systemctl enable fail2ban.service 

For testing purposes, I have tried SSH with the wrong credentials from a different machine. After three wrong attempts, Fail2ban blocked that IP via iptables with reject ICMP. You can see the rules in iptables after blocking the IP address as below. For SSH only systems, make sure to have SSH access from another IP before making these tests.

Conclusion

This tutorial helped you to install and configure Fail2ban on Ubuntu 20.04 LTS system. Additioally provided you the configuration details to secure specific services like SSH, SFTP and FTP.

The post How to Install and Configure Fail2ban on Ubuntu 20.04 appeared first on TecAdmin.

Step 1 – Install Fail2ban on CentOS 8

First of all, install epel-release package to configure EPEL yum repository on your CentOS 8 system. After that, install the Fail2ban rpm package using the following commands.

sudo dnf install epel-release
sudo dnf install fail2ban

Step 2 – Configure Fail2ban

Fail2ban keeps configuration files under /etc/fail2ban directory. but we need to create a copy of this file as jail.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local 

Now we need to make necessary changes in jail.local file to create ban rules. Edit this file in your favorite editor and make changes in [DEFAULT] section.

[DEFAULT]

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24

# "bantime" is the number of seconds that a host is banned.
bantime = 60m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below
# settings, 2 minutes
findtime = 5m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Step 3 – Protect SSH/SFTP

After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3

Step 4 – Protect FTP

Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

Step 5 – Restart Service and Test

After making all the changes save your file and restart Fail2ban service using the following command.

sudo systemctl start fail2ban.service
sudo systemctl enable fail2ban.service

For testing purposes, I have tried SSH with the wrong credentials from a different machine. After three wrong attempts, Fail2ban blocked that IP via iptables with reject ICMP. You can see the rules in iptables after blocking the IP address as below. For SSH only systems, make sure to have SSH access from another IP before making these tests.

The post How to Install and Configure Fail2ban on CentOS 8 appeared first on TecAdmin.

Whitelist IP in Fail2ban

First of all, Make a local copy of jail.conf and edit it. In Debian based systems fail2ban configuration files are stored under /etc/fail2ban directory.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

Now, add your IP address under ignoreip option inside the DEFAULT section. The multiple IPs must be seprated with a white space. For example:

[DEFAULT]

ignoreip = 192.168.10.100 192.168.2.0/32

After adding your IP, save the file and restart fail2ban service:

systemctl restart fail2ban

All done!

The post How to Whitelist an IP in fail2ban on Ubuntu & Debian appeared first on TecAdmin.

Step 1 – Install Fail2ban on CentOS

First of all, enable epel-release yum repository on your CentSO system. Then install the Fail2ban rpm package using the following commands.

sudo yum install epel-release
sudo yum install fail2ban

Step 2 – Fail2ban Default Configuration

Fail2ban provides its own security configuration file /etc/fail2ban/jail.conf, but we need to create a copy of this file as jail.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local 

Now we need to make necessary changes in jail.local file to create ban rules. Edit this file in your favorite editor and make changes in [DEFAULT] section.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will use as always allowed,
# so add your system ip to protect your ip from banned.
ignoreip = 127.0.0.1/8 192.168.1.0/24 11.22.33.44

# "bantime" is the total number of seconds that a host is banned (3600sec = 1 Hour ).
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime" seconds. as per below
# settings, 2 minutes
findtime  = 120

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Step 3 – Protect SSH/SFTP

After completing default configuration, go down in the same file jail.local and update [ssh-iptables] section as below.

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3

Step 4 – Protect FTP

Let’s protect your FTP (vsFTPd) server, Find the below entry of [vsftpd-iptables] section and make changes as below. If you are not using vsFTPd, you can skip this section.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

Step 4 – Restart Fail2ban Service

After making all the changes save your file and restart Fail2ban service using the following command.

sudo service fail2ban restart

The post How to Install Fail2Ban on CentOS/RHEL 7/6 appeared first on TecAdmin.