Setup and Configure Fail2Ban on Linux

Fail2Ban

An intrusion prevention framework written in the Python programming language. It is very successful in reducing  dictionary attacks. Because we limit the number of tries to access to the specific service that we want to enable. In this example we are going to show with sshd service only. The standard configuration ships with filters for sshd, Apache, Lighttpd, vsftpd, qmail, Postfix and Courier Mail Server.

Log-in as root user and enter the following command to begin install.

apt-get install fail2ban

Configurations

Copy a config file in /etc/fail 2ban/ of file “jail.conf” to “jail.local”

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit file jail.local

vi /etc/fail 2ban/jail.local

With content,

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = 127.0.0.1/8
 bantime = 3600
 maxretry = 3

Email Notifications

Find the line that says destmail and add your email address.

destemail = ken.vannakk@gmail.com

Chose default actions

Find line,

action = %(action_)s

And change it to:

action = %(action_mw)s

Email Actions, In this case we use sendmail.

 # email action. Since 0.8.1 upstream uses sendmail
 # MTA for the mailing. Change mta configuration parameter to mail
 # if you want to revert to conventional 'mail'.
 mta = sendmail

Enable SSH

Find the ssh section in the same file, and adjust to your need:

[ssh]
 enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Once done, restart to apply these settings.

service fail2ban restart

Let’s try to access via SSH to this server with the incorrect information for 3 times. We will get one email and can not ssh to that server for 1 hour with the user we tried.