Using fail2ban to secure your server

Last week I logged into my VPS with SSH for the first time in 2 weeks and got this message: setup1.jpg 30109 failed login attempts! For a VPS with public IP with an exposed ssh port, that’s pretty low, according to some people on /r/sysadmin/ (my favorite subreddit!). But I’m still decided to add some protection to the server. After some simple research, fail2ban seems to be the solution.

Fail2ban is an application that monitors system logs for symptoms of an attack on your server, written in python.

While Fail2ban is primarily focused on SSH attacks, you can also use Fail2ban configuration with other services that utilize log files and is at potential risk of being compromised.

Installing

Fail2ban is not available in the official CentOS package repository, so I have to install the EPEL repository:

sudo yum install epel-release

Then install fail2ban:

sudo yum install fail2ban

Enable fail2ban using systemctl:

sudo systemctl enable fail2ban

Configuring

fail2ban config files are stored in /etc/fail2ban directory: setup2.jpg Default config file is jail.conf, but I should avoid editing it directly since it may be overwritten when upgrading package. Since fail2ban reads .conf configuration files first, then .local files override any setting, I will create a new jail.local.

sudo nano /etc/fail2ban/jail.local

(feel free to use other text editor, here I used nano)

setup3.jpg

Here I defined some basic value. Also, in case of CentOS or Fedora, I need to change the backend option in jail.local from auto to systemd.

Restart fail2ban to apply the changes:

sudo systemctl restart fail2ban

Running

I can check for fail2ban client status by using:

fail2ban-client status

setup4.jpg To get more information on ssh jail:

fail2ban-client status ssh

setup5.jpg

Other options

This is just the basic to get started with fail2ban. There are many things you can explore like mail notifications, filters, regex etc.

References:

fail2ban repo