Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more. <\/p>\n
<\/p>\n
Update your server.<\/p>\n
\napt update && apt full-upgrade\n<\/pre>\nInstall fail2ban<\/p>\n
\napt install fail2ban -y \n<\/pre>\nAfter successful installation, the Fail2ban service should start automatically. You can verify this by running the command:<\/p>\n
\nsystemctl status fail2ban \n<\/pre>\nIf the service is not active on your system, then you can use the following commands to starts and enable it:<\/p>\n
\nsystemctl start fail2ban \nsystemctl enable fail2ban \n<\/pre>\nLastly, verify the version and build of fail2ban:<\/p>\n
\nfail2ban-client --version\n<\/pre>\nOutput:<\/p>\n
\nFail2Ban v0.11.2\n<\/pre>\nAfter completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in \/etc\/fail2ban\/jail.conf and The default Fail2ban \/etc\/fail2ban\/jail.d\/defaults-debian.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.<\/p>\n
Now let’s setup copies ending in .local instead of .conf as Fail2ban will always read .local files first before loading .conf if it cannot find one.<\/p>\n
To do this, use the following command:<\/p>\n
\ncp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local\n<\/pre>\nNow open the configuration file to proceed with configuring:<\/p>\n
\nnano \/etc\/fail2ban\/jail.local\n<\/pre>\nSome items to mofify.
\nBantime Increment<\/p>\n\n# "bantime.increment" allows to use database for searching of previously banned ip's to increase a\n# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...\nbantime.increment = true\n<\/pre>\nWhitelist IPs in Fail2ban<\/p>\n
\nignoreip = 127.0.0.1\/8 ::1 192.167.5.5 (example IP address)\n<\/pre>\nDefault Ban Time Set-Up
\nE-Mail set up with Fail2ban<\/p>\nNote, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:<\/p>\n
Change from:<\/p>\n
\nmta = sendmail\n<\/pre>\nChange to:<\/p>\n
\nmail = sendmail\n<\/pre>\nFail2ban Jails
\nFail2ban ships with a number of jail for different services. You can also create your own jail configurations. By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the postfix jail.<\/p>\n\n[postfix]\nenabled = true\nport = smtp,ssmtp\nfilter = postfix\nlogpath = \/var\/log\/mail.log\n<\/pre>\nThe settings we discussed in the previous section, can be set per jail. Here is an example:
\n\/etc\/fail2ban\/jail.local<\/p>\n\n[sshd]\nenabled = true\nmaxretry = 3\nfindtime = 1d\nbantime = 4w\nignoreip = 127.0.0.1\/8 11.22.33.44\n<\/pre>\nThe filters are located in the \/etc\/fail2ban\/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.<\/p>\n
Each time the configuration file is modified, the Fail2ban service must be restarted for changes to take effect:<\/p>\n
\nsudo systemctl restart fail2ban\n<\/pre>\nFail2ban Client<\/p>\n
Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.<\/p>\n
To view all available options, invoke the command with the -h option:<\/p>\n
\nfail2ban-client -h\n<\/pre>\nThis tool can be used to ban\/unban IP addresses, change settings, restart the service, and more. Here are a few examples:<\/p>\n
Get the current status of the server:<\/p>\n
\nfail2ban-client status\n<\/pre>\nCheck the jail status:<\/p>\n
\nfail2ban-client status sshd\n[bash]\nUnban an IP:\n[bash]\nsudo fail2ban-client set sshd unbanip 11.22.33.44\n<\/pre>\nBan an IP:<\/p>\n
\nsudo fail2ban-client set sshd banip 11.22.33.44\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-6484","post","type-post","status-publish","format-standard","hentry","category-fail2ban"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/6484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=6484"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/6484\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=6484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=6484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=6484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}