Last updated on August 7th, 2024 at 05:46 am
It is very important to protect your website from malicious attacks such as Brute force attack and DDOS( distributed denial of service). For this purpose, it is essential to install a firewall on your system and configure traffic rules to block requests from malicious IPs. Fail2ban is a useful firewall & intrusion prevention framework that automatically detects and blocks brute force attacks on your servers. It analyzes server logs for such malicious attacks and blocks those IP addresses using IP tables. Here’s how to install Fail2ban on Ubuntu, CentOS systems.
What is Fail2ban
Fail2ban is a powerful, simple and easy to use firewall system that detects and prevents intrusion to your system. It is written in Python programming language but it can be installed on Windows, Linux as well as Mac systems without any python dependencies. It is commonly used to protect major web servers such as Apache and NGINX from brute force SSH login attempts. Fail2ban can also be setup to send you email alerts whenever a hacking attempt is thwarted.
How Fail2ban Works
Fail2ban mainly monitors the different application logs on your system to track intrusion attempts, records the related IP addresses and automatically blocks them. It is mainly used to block SSH intrusion attempts but it can be used to monitor any application by simply configuring it to monitor that application’s log files. It uses smart regular expressions to identify even clever hacking attempts and automatically block malicious IPs. It makes use of ‘jails’ that are a set of firewall rules applicable for suspicious IP addresses.
How to Install Fail2ban to Protect Apache Server
Here are the steps to install Fail2ban for Apache web server.
1. Update System
Open terminal and run the following command to update your system.
Ubuntu/Debian
$ sudo apt-get update
CentOS/RHEL/Fedora
# sudo yum install -y epel-release
2. Install Fail2ban
Ubuntu/Debian
Fail2ban is supported by APT package manager in Ubuntu/Debian systems. Run the following command to install Fail2ban in Ubuntu server.
$ sudo apt-get install fail2ban -y
CentOS/Redhat/Fedora
Yum package manager supports Fail2ban for CentOS/RHEL/Fedora systems. Run the following commands to install Fail2ban in CentOS server.
# sudo yum install -y fail2ban
Bonus Read : Top AWS Cost Optimization Best Practices
3. Restart Fail2ban
Once you have installed Fail2ban on your system, you can use the same commands irrespective of your Linux distribution.
Restart Fail2ban to apply changes
$ sudo service fail2ban restart
Bonus Read : How to Install memcached in Apache
4. Configure Fail2ban
Next, we will create a configuration file to customize it. Fail2ban will look for a file named jail.local and read its contents for configuration. However, this file doesn’t exist by default. But it comes with a jail.conf file. So we will create jail.local by duplicating jail.conf.
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
5. Edit Configuration File
Paste the following lines into this file.
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true
Save and close the file.
In the above configuration, we instruct Fail2ban to ignore IP address 127.0.0.1 that is localhost. In the remaining lines we specify different time limits in seconds. For example, if there are 5 re-attempts (maxretry=5) within 600 seconds(findtime=600), then those IP addresses should be banned for 3600 seconds (bantim=3600), that is, 1 hour. You can change these settings as per your requirement.
The above are default settings applicable to all services. You can override them by creating a separate section for the specific service name in […]. Here is an example for SSHD service. You can use the following configuration for basic protection of SSH service.
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600
In the above configuration.
- Enabled – enables jail for SSH service
- Port – port number that the SSH service is running on
- Filter – name of filter to be used, usually the name of process
- Logpath – Log file location of SSH service which will be monitored by Fail2ban
- Maxretry – maximum number of failed attempts allowed before IP is banned
- Findtime – Time duration in seconds during which failed attempts are considered for ban. You can also set it in minutes such as 10m for 10 minutes.
- Bantime – Time duration of ban in seconds. Default value is 10 minutes. You can also set this value in minutes by adding ‘m’ such as 10m for 10 minutes.
6. Create Custom Filter
Fail2ban makes use of regular expressions, known as filters, to quickly identify malicious behavior in requests. Fail2ban scans the log files for these regular expressions to identify attacks. These filters are located at /etc/fail2ban/filter.d without .conf extension. You can add your filters by creating new files in this directory. However, the default filters are more than enough to catch the most common attacks.
7. Restart Fail2ban
Restart Fail2ban to apply changes.
$ sudo service fail2ban restart
8. Check Fail2ban status
Run the following command to check Fail2ban status
$ sudo service fail2ban status $ active(running)
Bonus Read : Top 5 Log Management Tools for Server Monitoring
If you want to check the list of IP addresses banned by Fail2ban, run the following command.
$ iptables -S
Conclusion
In this article, we have learnt what is Fail2ban, how it works and how to install & configure it. It is very important to run some kind of firewall application to protect your web server in today’s world. Fail2ban is one of the most popular ones, alongside iptables and ufw. It is free and works well on Windows, Linux and Mac systems. Hopefully, this article will help you protect your Apache Server and SSH from brute force attacks.
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.