How to Stop Brute-Force Attacks on Linux with Fail2Ban
In today’s digital landscape, any server connected to the internet is a constant target. Malicious bots and automated scripts relentlessly scan for vulnerabilities, with one of the most common threats being brute-force login attacks. These attacks hammer your services—especially SSH—with endless username and password combinations, hoping to guess their way in. Fortunately, Linux users have a powerful, proactive tool to stop this: Fail2Ban.
This guide will walk you through what Fail2Ban is, why it’s essential for your server’s security, and how to configure it to automatically block malicious actors.
What is Fail2Ban and Why is it Essential?
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It operates by monitoring log files (like /var/log/auth.log or /var/log/secure) for patterns of malicious activity, such as repeated failed login attempts.
When a suspicious IP address exceeds a pre-configured number of failures within a set time, Fail2Ban automatically updates your firewall rules to block that IP for a specific duration. This simple but effective mechanism provides several key benefits:
- Proactive Defense: It stops attackers in their tracks before they can guess your credentials.
- Reduced Server Load: By blocking malicious traffic, it prevents your server’s resources from being wasted on processing bogus login attempts.
- Enhanced Security Posture: It acts as a crucial layer of defense, hardening your server against common automated threats.
Step 1: Installing Fail2Ban
Installation is straightforward on most modern Linux distributions. First, ensure your package lists are up to date, then install the package using your system’s package manager.
For Debian or Ubuntu-based systems:
sudo apt update
sudo apt install fail2ban
For CentOS, RHEL, or Fedora systems:
sudo dnf install fail2ban
Once installed, the Fail2Ban service should start automatically. You can verify this and enable it to start on boot with the following command:
sudo systemctl enable --now fail2ban
Step 2: Creating a Local Configuration File
The default configuration for Fail2Ban is stored in /etc/fail2ban/jail.conf. However, you should never edit this file directly, as it can be overwritten during package updates. Instead, you’ll create a local copy where you can safely place your custom settings.
Create your local configuration file by copying the original:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Fail2Ban reads .conf files first and then overrides them with settings from corresponding .local files. This ensures your custom configurations are always preserved.
Step 3: Configuring Your Jails
Now, open your new jail.local file with a text editor like nano or vim:
sudo nano /etc/fail2ban/jail.local
Inside this file, you’ll find settings under a [DEFAULT] section and specific sections for various services called “jails” (e.g., [sshd], [apache-auth]). The [DEFAULT] section contains global settings that apply to all jails unless overridden.
Here are the most important parameters to configure:
- ignoreip: This is a crucial setting. Add your own IP address here to prevent accidentally locking yourself out of your server. You can add multiple IPs separated by spaces.
ignoreip = 127.0.0.1/8 ::1 192.168.1.100 - bantime: This determines how long an IP address is banned. The value can be in seconds or using shorthand like
1hfor one hour or1dfor one day. A longer ban time like24his often a good starting point. - findtime: This is the window of time during which failed attempts are counted. For example, if
findtimeis10m(10 minutes), Fail2Ban will look at logs from the last 10 minutes. - maxretry: This is the number of failed attempts an IP can make within the
findtimewindow before being banned. A value of 3 to 5 is typically recommended.
Enabling the SSH Jail
Protecting SSH is the most common use case for Fail2Ban. Scroll down to the [sshd] section in your jail.local file. To activate it, you simply need to ensure it is enabled.
Find the [sshd] block and add or uncomment the enabled line:
[sshd]
enabled = true
port = ssh
# You can add overrides here if you want different settings than the [DEFAULT]
# For example:
# maxretry = 3
# bantime = 1d
After making your changes, save the file and exit the editor. For the new configuration to take effect, you must restart the Fail2Ban service:
sudo systemctl restart fail2ban
Step 4: Monitoring and Managing Fail2Ban
Once Fail2Ban is running, you can use the fail2ban-client command to monitor its activity.
To check the status of a specific jail (like the SSH jail), use:
sudo fail2ban-client status sshd
This command will show you a list of all IP addresses that are currently banned by that jail.
If you ever need to manually remove a ban (for instance, if you accidentally locked out a legitimate user), you can use the unbanip command:
sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
Replace <IP_ADDRESS> with the actual IP you want to unban.
Final Security Tips
- Explore Other Jails: Fail2Ban comes with pre-configured jails for many other services like Apache, Nginx, Postfix, and more. Review the
jail.localfile to see which ones apply to your server and enable them as needed. - Set Up Email Alerts: For added security, you can configure Fail2Ban to send you an email notification whenever an IP is banned. You’ll need to set the
destemailandsenderaddresses in the[DEFAULT]section and change theactionto one that includes mail notifications, likeaction = %(action_mw)s. - Regularly Check Logs: While Fail2Ban is an excellent automated tool, it’s still wise to periodically review your authentication logs to understand the types of attacks your server is facing.
By implementing Fail2Ban, you are taking a simple yet highly effective step to secure your Linux server. It works quietly in the background, serving as a vigilant guardian against the constant barrage of automated brute-force attacks.
Source: https://infotechys.com/enable-fail2ban-to-block-failed-login-attempts/
