Fail2ban is an open-source intrusion prevention tool used to add firewall rules to reject IP addresses for a specified amount of time. It is written in Python and designed to protect servers from brute-force attacks. Fail2ban continuously monitors the system logs for any malicious activity and scans files for any entries matching identified patterns. If any matching pattern is found, then Fail2ban blocks the destination IP for a specified amount of time.
In this post, we will show you how to install Fail2ban to protect the SSH server on Fedora.
- A server running Fedora 34 on the Atlantic.Net Cloud Platform
- A root password is configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Fedora 34 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your server, run the following command to update your base system with the latest available packages.
dnf update -y
Step 2 – Install Fail2ban
By default, Fail2ban is included in the Fedora default repository. You can install it by running the following command.
dnf install fail2ban -y
Once the Fail2ban is installed, start and enable the Fail2ban service using the following command.
systemctl start fail2ban systemctl enable fail2ban
Step 3 – Configure Fail2ban
Next, you will need to create a Fail2ban configuration file for SSH service. You can create it with the following command.
Add the following lines.
[DEFAULT] ignoreip = your-server-ip bantime = 300 findtime = 300 maxretry = 3 banaction = iptables-multiport backend = systemd [sshd] enabled = true
Save and close the file, then restart the Fail2ban to apply the changes.
systemctl restart fail2ban
You can also check the status of Fail2ban with the following command.
systemctl status fail2ban
● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2023-06-24 03:55:11 EDT; 7s ago Docs: man:fail2ban(1) Process: 12514 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 12515 (fail2ban-server) Tasks: 5 (limit: 9497) Memory: 11.4M CPU: 257ms CGroup: /system.slice/fail2ban.service └─12515 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start Jun 24 03:55:11 fedora systemd: Starting Fail2Ban Service... Jun 24 03:55:11 fedora systemd: Started Fail2Ban Service. Jun 24 03:55:11 fedora fail2ban-server: Server ready
Step 4 – Verify Fail2ban
At this point, Fail2ban is installed and configured to protect your SSH server. Now, it’s time to verify it.
First, check the added SSH service using the following command.
Status |- Number of jail: 1 `- Jail list: sshd
Try to connect your SSH server from any remote machine with an incorrect password three times.
After three failed attempts you are blocked from authentication for five minutes.
Now, run the following command on your SSH server to check the IP address blocked by Fail2ban.
fail2ban-client status sshd
You will see the following output.
Status for the jail: sshd |- Filter | |- Currently failed: 3 | |- Total failed: 12 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 22.214.171.124
You can also check the log file to see the blocked IP.
tail -5 /var/log/secure | grep 'Failed password'
June 24 03:15:03 fedora sshd: Failed password for invalid user root from 126.96.36.199 port 55738 ssh2
If you want to unblock the blocked IP address, run the following command.
fail2ban-client set sshd unbanip 188.8.131.52
You can also block this IP again using the following command.
fail2ban-client set sshd banip 184.108.40.206
In this post, we explained how to secure an SSH server with Fail2ban on Fedora. We also showed you how to monitor Fail2ban via the command line. You can now use Fail2ban to help protect your server against DDoS attacks; try implementing Fail2ban on dedicated server hosting from Atlantic.Net!