How Fail2Ban Can Safeguard Your Server from Brute Force Attacks

Securing a Linux server is crucial to protect it from unauthorized access and attacks. Fail2Ban is a powerful tool that can help you achieve this. In this article, we'll explore what Fail2Ban is, how it works, and how to set it up on your server.

What is Fail2Ban?

Fail2Ban is an open-source powerful software tool that helps to protect your server from brute force attacks. It monitors log files for suspicious activity and temporarily bans IP addresses that exhibit malicious behavior, such as multiple failed login attempts.

How Does Fail2Ban Work?

1. Monitoring Logs: Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts.
2. Detection: When it detects a pattern that matches a predefined rule, such as several failed SSH login attempts, it triggers an action.
3. Banning: The action usually involves banning the offending IP address by updating firewall rules, preventing further access from that IP for a specified period.

How to Install and setup Fail2Ban

1. Update your package list : sudo apt-get update
2. Install Dependencies : sudo apt-get install -y git python3 systemctl
3. Clone the Fail2Ban GitHub repository : git clone https://github.com/fail2ban/fail2ban.git
4. Navigate to the Fail2Ban directory : cd fail2ban
5. Install it : sudo python setup.py install

Configuring Fail2Ban

Fail2Ban configuration files are located in /etc/fail2ban. The main configuration file is jail.conf, but it's recommended to create a local copy called jail.local to avoid overwriting changes during updates.

1. Create a local configuration file : sudo nano /etc/fail2ban/jail.local
2. Copy below configuration or you can create your own :

[sshd]

enabled = true

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 3

findtime = 300

bantime = 300

3. Save & Exit

4. Enable Fail2Ban service : sudo systemctl enable fail2ban.service

5. Start Fail2Ban service : sudo systemctl start fail2ban.service

6. Restart Fail2Ban service : sudo systemctl restart fail2ban

7. Check Fail2Ban service status : sudo systemctl status fail2ban.service

8. Check how many IP blocks : sudo fail2ban-client status sshd

9. Unblock IP : sudo fail2ban-client set sshd unbanip YOUR_IP

10. Check fail2ban-client Version : fail2ban-client version

Description about configuration

enable = true

This indicates that the [sshd] section is enabled, meaning this configuration will apply to the SSH daemon (sshd).

port = ssh

This specifies the port on which sshd is listening. In this case, it uses the default SSH port, which is port 22.

filter = sshd

Refers to the filter configuration file that fail2ban will use to parse the logs and find patterns. Here, it's likely referring to /etc/fail2ban/filter.d/sshd.conf.

logpath = /var/log/auth.log

Specifies the path to the SSH authentication log file. This is where fail2ban will look for authentication attempts and other relevant logs.

maxretry = 3

Sets the number of retries (maxretry) before fail2ban takes action. If an IP address fails authentication maxretry times within findtime, it will be banned.

findtime = 300

Defines the time window in seconds (findtime) during which fail2ban counts the number of failed authentication attempts (maxretry).

bantime = 3600

Specifies the duration in seconds (bantime) for which an IP address will be banned if it exceeds the maxretry within findtime.

if you have any query drop comment I am happy to help you Aman Reddy