Page 1 of 1

Setup fail2ban on Ubuntu server Rate Topic: -----

#1 Wolke  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 2
  • View blog
  • Posts: 65
  • Joined: 23-January 15

Posted 07 March 2015 - 02:15 PM

Fail2ban may be installed as a means(there are many) to protect our server from unauthorized access.
This is acheived by changing your firewall configuration, automatically - based on a predefined number of unsuccessful login attempts.

Install fail2ban:

sudo apt-get update
sudo apt-get install fail2ban


The default directory for fail2ban is /etc/fail2ban, which contains a config file called jail.conf - we should copy this file so that we may edit it.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


Then we may open the file with nano.

sudo nano /etc/fail2ban/jail.local


Changing the line ignoreip = ... will allow you to configure fail2ban not to ban ip's contained in this parameter.

ignoreip = 127.0.0.1/8


The default is set to not ban the local machine, but more ip's may be added at the end, space separated.

bantime = 600


The above parameter, counts in seconds the length of time a user remains on ban.
Also important are the findtime and maxretry parameters.
The maxretry variable sets the number of tries a client has to authenticate within a window of time defined by findtime, before being banned. With the default settings, the fail2ban service will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.

Furthermore, destemail, sendername, and mta may be used to send email notifications if you have a mail server setup.
The backend parameter may be left on default setting of auto.

In the actions section you will parameters such as banaction describes the steps that fail2ban will take to ban a matching IP address, which refers back to the deault iptables-multiport - the contents of which can be found at

/etc/fail2ban/action.d/iptables-multiport.conf


Additionally, one may alter the protocol from TCP to UDP in this line as well, depending on which one you want fail2ban to monitor.

Next up is the SSH section:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6


Most of these options are just fine with the default settings, except for the case where you have changed the standard SSH port. If you have changed the port the you change the parameter value to reflect the port you have assigned.

port = yoursshportnumber


Once you have finished, you must restart the fail2ban service for the changes to take effect:

sudo service fail2ban restart


You may inspect your iptable rules that were implemented:

sudo iptables -L


If you need any further information, these links are helpful:

iptables: https://help.ubuntu....y/IptablesHowTo

fail2ban: http://www.fail2ban....x.php/Main_Page

---

Happy hunting !
Dave

Is This A Good Question/Topic? 0
  • +

Page 1 of 1