Fail2ban is a powerful, free, open-source firewall service that is used to stop brute-force login attempts from the remote system. It is simple and lightweight, providing different filters to monitor Apache, SSH, and other programs for suspicious activity. It runs in the background and monitors the logs of different services and blocks clients that repeatedly fail authentication checks. Fail2Ban protects your Linux server against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.
In this post, we will show you how to install the Fail2Ban firewall on Arch Linux.
In This Article
Step 1 – Configure Repository
By default, the default repository is outdated in Arch Linux, so you will need to modify the default mirror list. You can do it by editing the mirrorlist configuration file:
Remove all lines and add the following lines:
## Score: 0.7, United States Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch ## Score: 0.8, United States Server = http://lug.mtu.edu/archlinux/$repo/os/$arch Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch ## Score: 0.9, United Kingdom Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch ## Score: 1.5, United Kingdom Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch ## Score: 6.6, United States Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch ## Score: 6.7, United States Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch ## Score: 6.8, United States Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch ## Score: 7.1, India Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch ## Score: 10.1, United States Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch
Save and close the file, then update all the package indexes with the following command:
Step 2 – Install Fail2Ban Firewall
By default, the Fail2Ban package is available in the Arch Linux default repository. You can install it using the following command.
pacman -S fail2ban
After installing the Fail2Ban package, start the Fail2Ban service and enable it to start at system reboot.
systemctl start fail2ban systemctl enable fail2ban
Step 3 – Secure SSH with Fail2Ban
SSH is one of the most popular protocols used to manage the remote server via the command line, so the SSH service is always vulnerable to brute-force login attacks. In this section, we will show you how to protect SSH with Fail2Ban. Fail2Ban default configuration file located at /etc/fail2ban/jail.conf. It is always recommended to create a new Fail2Ban configuration file.
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = %(sshd_log)s backend = %(sshd_backend)s maxretry = 3 bantime = 300 ignoreip = 127.0.0.1
Save and close the file, then restart the SSH service to apply the changes.
systemctl restart fail2ban
Step 4 – Verify Fail2Ban
At this point, Fail2Ban is installed and configured to secure the SSH server against brute-force login attacks. You can now monitor your Fail2Ban using the fail2ban-client tool.
To check the status of the SSH jail, run the following command.
fail2ban-client status sshd
You should see the list of all IPs blocked by Fail2Ban in the following output:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 8 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 18.104.22.168
To check the status of all jails, run the following command.
You will get the following output.
Status |- Number of jail: 1 `- Jail list: sshd
You can also check the Fail2Ban log for more information:
tail -f /var/log/fail2ban.log
You should see the following output.
2023-01-31 05:03:53,142 fail2ban.filter : INFO [sshd] Found 22.214.171.124 - 2023-01-31 05:03:52 2023-01-31 05:04:03,144 fail2ban.filter : INFO [sshd] Found 126.96.36.199 - 2023-01-31 05:04:02 2023-01-31 05:04:03,339 fail2ban.actions : NOTICE [sshd] 188.8.131.52 already banned 2023-01-31 05:04:07,686 fail2ban.filter : INFO [sshd] Found 184.108.40.206 - 2023-01-31 05:04:07 2023-01-31 05:04:11,435 fail2ban.filter : INFO [sshd] Found 220.127.116.11 - 2023-01-31 05:04:11
Step 5 – Working with Fail2Ban Command Line
Fail2Ban also allows you to block and unblock remote IPs manually via the command line.
To unblock a blocked IP, run the following command:
fail2ban-client set sshd unbanip remote-ip
If you want to block an untrusted IP, run the following command:
fail2ban-client set sshd banip remote-ip
Congratulations! You have successfully installed and configured the Fail2Ban firewall on Arch Linux. Your server is now protected from brute-force login attempts. You can now install the Fail2Ban on dedicated server hosting from Atlantic.Net!