Atlantic.Net Blog

How to Protect Apache and SSH With Fail2Ban on CentOS 8

Hitesh Jethva
by Atlantic.Net (52posts) under VPS Hosting
0 Comments

If you’re a system administrator, then protecting your server from different kinds of attacks is an essential part of your job; Fail2Ban firewall can help you achieve this. Fail2Ban is an intrusion prevention system written in the Python language used to block malicious IPs that are trying to breach your system security. It works by scanning various log files and blocking the IPs that are trying to make frequent login attempts for a specified bantime.  It also allows you to monitor the strength and frequency of attacks. Due to its simplicity, it is considered the preferred software to secure your server from DOS, DDOS, and brute-force attacks.

In this tutorial, we will show you how to secure an SSH and Apache server with Fail2Ban on CentOS 8.

Prerequisites

  • A fresh CentOS 8 VPS on the Atlantic.net Cloud Platform.
  • A root password configured on your server.

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing CentOS 8 as the operating system with at least 1GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged into your CentOS 8 server, run the following command to update your base system with the latest available packages.

dnf update -y

Step 2 – Install Fail2Ban

By default, Fail2Ban is not available in the CentOS 8 default repository, so you will need to install the EPEL repository in your system.

You can install it with the following command:

dnf install epel-release -y

After installing the EPEL repository, you can install Fail2Ban with the following command:

dnf install fail2ban -y

Once installed, start the Fail2Ban service and enable it to start after system reboot:

systemctl start fail2ban
systemctl enable fail2ban

Step 3 – Secure SSH with Fail2Ban

In this section, we will learn how to secure the SSH server with Fail2Ban.

Configure Fail2Ban for SSH

By default, all pre-set jails are located inside /etc/fail2ban/jail.conf file. This is not an appropriate way to edit the default jail.conf file. You should create a separate jail.local file for each service that you want to configure.

You can create a jail.local file for SSH with the following command:

nano /etc/fail2ban/jail.local

Add the following lines:

[DEFAULT]
ignoreip = your-server-ip
bantime = 300
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd

[sshd]
enabled = true

Save and close the file when you are finished. Then, restart the Fail2Ban service to apply the changes:

systemctl restart fail2ban

You can now check the status of SSH jail with the following command:

fail2ban-client status

You should see that an SSH jail is enabled:

Status
|- Number of jail:        1
`- Jail list:        sshd

A brief explanation of each parameter is shown below:

  • ignoreip: Used to define the IP addresses that you want to be ignored.
  • bantime: Used to define a number of seconds the IP address will be banned for.
  • findtime: Used to define the amount of time between login attempts before the IP is banned.
  • maxretry: Used to define the number of attempts to be made before the IP address is banned.
  • banaction: Banning action.
  • enabled: This option enables the protection for SSH service.

Test SSH Against Password Attacks

At this point, Fail2Ban is installed and configured. It’s time to test whether it is working or not.

To do so, go to the remote machine and try to SSH to the server IP address:

ssh [email protected]

You will be asked to provide the root password. Type the wrong password again and again. Once you reach the login attempt limit, your IP address will be blocked.

You can verify your blocked IP address with the following command:

fail2ban-client status sshd

You should see your blocked IP in the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:   7
|  |- Total failed:          39
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:        2
   `- Banned IP list:     190.8.80.42

You can also check the SSH log for failed logins:

tail -5 /var/log/secure | grep 'Failed password'

You should see the following output:

Mar  1 03:55:03 centos8 sshd[11196]: Failed password for invalid user bpadmin from 190.8.80.42 port 55738 ssh2

You can also block and unblock a specific IP address manually.

For example, to unblock the IP 190.8.80.42, run the following command:

fail2ban-client set sshd unbanip 190.8.80.42

To block the IP 190.8.80.42, run the following command:

fail2ban-client set sshd banip 190.8.80.42

Step 4 – Secure Apache with Fail2Ban

You can also secure the Apache webserver from different kinds of attacks. You will need to configure jail.local file for Apache as shown below:

nano /etc/fail2ban/jail.local

Add the following lines at the end of the file:

[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

Save and close the file when you are finished. Then, restart the Fail2Ban service to implement the changes:

systemctl restart fail2ban

You can now verify the status of all jails with the following command:

fail2ban-client status

You should see the following output:

Status
|- Number of jail:        5
`- Jail list:        apache-auth, apache-badbots, apache-noscript, sshd

A brief explanation of each jail is shown below:

  • apache-auth: This jail is used to protect Apache from failed login attempts.
  • apache-badbots: This jail is used to ban hosts which agent identifies spammer robots crawling the web for email addresses.
  • apache-noscript: Used to block the IP which is trying to search for scripts on the website to execute.

Conclusion

In the above tutorial, we learned how to protect SSH and Apache server with Fail2Ban. It is a very useful intrusion prevention system that adds extra security to your Linux system. You are now able to configure Fail2Ban that will suit your specific security needs. Get started with Fail2Ban today with VPS Hosting from Atlantic.Net!

Get A Free To Use Cloud VPS

Free Tier Includes:
G2.1GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Sales Today! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers

Resources


HIPAA Partners


Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources