Fail2Ban is open-source intrusion prevention software that protects your Linux system from different kinds of attacks. It is written in Python and monitors the services logs for malicious activity. It scans all services’ log files and counts the number of failed login attempts. Fail2ban will add extra IP table rules to block the source IPs whenever their number reaches a predefined threshold.
This post will show you how to secure an SSH server with Fail2Ban on Linux.
Step 1 – Update Linux Server
Once logged in to your Linux server, run the following command to update your base system with the latest available packages.
apt-get update -y
Or
dnf update -y
Step 2 – Install Fail2Ban
By default, Fail2Ban is available in all major Linux distributions.
To install Fail2Ban on Ubuntu and Debian, run the following command:
apt-get install fail2ban -y
To install Fail2Ban on CentOS, RHEL, and Fedora, run the following command:
dnf install epel-release -y dnf install fail2ban -y
Once the Fail2Ban is installed, start the Fail2Ban service and enable it to start at system reboot:
systemctl start fail2ban systemctl enable fail2ban
Step 3 – Configure Fail2Ban
By default, Fail2Ban’s main configuration file is located at /etc/fail2ban/jail.conf. Creating a new configuration file named jail. local in the /etc/fail2ban/ directory is always recommended.
Next, create a new configuration file using your favorite editor:
nano /etc/fail2ban/jail.local
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 300 ignoreip = 127.0.0.1, whitelist-ip
Save and close the file, then restart the Fail2Ban service to apply the changes:
systemctl restart fail2ban
Where:
- Port is the SSH port number.
- logpath is the path of the SSH log file.
- bantime is the number of seconds to block the attacker’s IP.
- maxretry is the number of failed login attempts allowed for remote hosts.
- ignoreip is the white list IP addresses.
Step 4 – Monitor Fail2Ban Status
Fail2Ban comes with a command-line utility named fail2ban-client that is used to monitor the Fail2Ban status.
To check the status of the sshd jail, run the following command:
fail2ban-client status sshd
You should see the list of all IPs blocked by Fail2Ban:
Status for the jail: ssh |- Filter | |- Currently failed: 1 | |- Total failed: 10 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 45.58.44.186
To check the status of the all active jail, run the following command:
fail2ban-client status
Sample output:
Status |- Number of jail: 3 `- Jail list: proftpd, sshd, apache2
You can also check the Fail2Ban log for more information:
tail -f /var/log/fail2ban.log
Sample output:
2021-07-15 10:02:13,084 fail2ban.filter [8012]: INFO [ssh] Found 45.58.44.186 - 2021-07-15 10:02:13 2021-07-15 10:02:33,085 fail2ban.filter [8012]: INFO [sshd] Found 45.58.44.186 - 2021-07-15 10:02:13 2021-07-15 10:02:33,117 fail2ban.actions [8013]: NOTICE [ssh] Ban 45.58.44.186
Step 5 – Ban and Unban Remote IPs with Fail2Ban
Fail2Ban also allows you to ban and unban remote IPs manually.
To unban any blocked IP, run the following command:
fail2ban-client set sshd unbanip remote-ip
If you want to ban any untrusted IP, run the following command:
fail2ban-client set sshd banip remote-ip
Conclusion
In the above guide, we explain how to secure an SSH server using Fail2Ban on Linux. You can now create more jails to protect other services like Apache, FTP, WordPress, and more – try it on dedicated server hosting today!
