Protecting SSH with Fail2Ban

About fail2ban
If a server is exposed to the Internet, attackers will scan that server for as many vulnerabilities as possible. That’s just part of running a server - so how do we deal with these attacks? Fail2Ban is an essential tool for server administrators. Fail2Ban works by scanning logs and detecting patterns in them, blocking IP addresses who attempt malicious activities (continual failed logins, mass logins, etc). This guide will detail how to configure Fail2Ban on a server running CentOS 6 or Debian Wheezy.


Step One - Installing Packages

On Debian 7, run:

sudo apt-get update && sudo apt-get install fail2ban


On CentOS 6, run:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm && yum install fail2ban



Step Two - Configuration

Fail2Ban’s configuration file is located in /etc/fail2ban/jail.conf. In the event something breaks with the configuration file when we edit it, we should have a backup of the original copy on hand.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak

Open the configuration file:

nano /etc/fail2ban/jail.conf

This is the default configuration file:


[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.

bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3



Enter all IP addresses you wish to grant immunity from Fail2Ban. All desired IP addresses and ranges should be separated by a single space, as shown below.


ignoreip = 127.0.0.1 192.73.232.13 2604:0180::/48


Now, we decide on bantime, findtime, and maxretry values. bantime refers to the length of the ban against an IP or range initiated by Fail2Ban. findtime sets the grace period for a user, in other words, how long each failed login attempt counts as a strike against an IP. maxretry tells Fail2Ban how many failed login attempts a user is given before they are banned.


Step Three - Restart Fail2Ban
To restart Fail2Ban, run the following command:

sudo service fail2ban restart

Success! Your server is now protected by Fail2Ban.


Written by Gus Naughton

  • 30 Users Found This Useful
Was this answer helpful?

Related Articles

Ho do I Enable TUN/TAP in Solus VM

TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets...

How to Change A Records in cPanel

The article defines steps for Updating an A record in cPanel for a particular domain...

How to install Fantastico on cPanel/WHM

You don't need to download any files in order to install Fantastico! Just SSH to your server and...

How do I connect to my VPS? (SSH)

We recommend the program PuTTY for SSH. You can download it...

How to ban or block an IP address from visiting my website?

You can make use of .htaccess files in order to block an IP address from accessing your website....

Powered by WHMCompleteSolution