Fail2Ban is open-source intrusion prevention software used to protect your Linux system from different kinds of attacks. It is written in Python and works by monitoring the services logs for malicious activity. It scans all services’ log files and counts the number of failed login attempts. Whenever their number reaches a predefined threshold, Fail2ban will add extra IP table rules to block the source IPs.
In this post, we will show you how to secure an SSH server with Fail2Ban on Linux.
- A fresh CentOS, Ubuntu, or Debian server on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing a CentOS, Debian, or Ubuntu as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your Linux server, run the following command to update your base system with the latest available packages.
apt-get update -y
dnf update -y
Step 2 – Install Fail2Ban
By default, Fail2Ban is available in all major Linux distributions.
To install Fail2Ban on Ubuntu and Debian, run the following command:
apt-get install fail2ban -y
To install Fail2Ban on CentOS, RHEL and Fedora, run the following command:
dnf install epel-release -y
dnf install fail2ban -y
Once the Fail2Ban is installed, start the Fail2Ban service and enable it to start at system reboot:
systemctl start fail2ban
systemctl enable fail2ban
Step 3 – Configure Fail2Ban
By default, Fail2Ban’s main configuration file is located at /etc/fail2ban/jail.conf. It is always recommended to create a new configuration file named jail.local in the /etc/fail2ban/ directory.
Next, create a new configuration file using your favorite editor:
Add the following lines:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 300
ignoreip = 127.0.0.1, whitelist-ip
Save and close the file, then restart the Fail2Ban service to apply the changes:
systemctl restart fail2ban
- port is the SSH port number.
- logpath is the path of the SSH log file.
- bantime is the number of seconds to block the attacker’s IP.
- maxretry is the number of failed login attempts allowed for remote hosts.
- ignoreip is the white list IP addresses.
Step 4 – Monitor Fail2Ban Status
Fail2Ban comes with a command-line utility named fail2ban-client that is used to monitor the Fail2Ban status.
To check the status of the sshd jail, run the following command:
fail2ban-client status sshd
You should see the list of all IPs blocked by Fail2Ban:
Status for the jail: ssh
| |- Currently failed: 1
| |- Total failed: 10
| `- File list: /var/log/auth.log
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 22.214.171.124
To check the status of the all active jail, run the following command:
|- Number of jail: 3
`- Jail list: proftpd, sshd, apache2
You can also check the Fail2Ban log for more information:
tail -f /var/log/fail2ban.log
2021-07-15 10:02:13,084 fail2ban.filter : INFO [ssh] Found 126.96.36.199 - 2021-07-15 10:02:13
2021-07-15 10:02:33,085 fail2ban.filter : INFO [sshd] Found 188.8.131.52 - 2021-07-15 10:02:13
2021-07-15 10:02:33,117 fail2ban.actions : NOTICE [ssh] Ban 184.108.40.206
Step 5 – Ban and Unban Remote IPs with Fail2Ban
Fail2Ban also allows you to ban and unban remote IPs manually.
To unban any blocked IP, run the following command:
fail2ban-client set sshd unbanip remote-ip
If you want to ban any untrusted IP, run the following command:
fail2ban-client set sshd banip remote-ip
In the above guide, we explain how to secure an SSH server using Fail2Ban on Linux. You can now create more jails to protect other services like Apache, FTP, WordPress, and more – try it on dedicated server hosting today!