How to Install and Configure Fail2ban (Linux VPS)

Fail2ban is a useful tool for further server hardening. It is not a replacement for disabling password authentication or changing the server's SSH port. Our guide on best security practices for a Linux server can guide you through those primary best practices.

This guide will cover installing Fail2ban and some initial configurations. Fail2ban will scan log files and ban malicious IP addresses. Fail2ban can then be used to auto-update firewall rules on the server to account for these IP addresses. There are filtering options for several services running on the system, including SSH servers, HTTP servers, FTP servers, Mail servers, and more.

Installation :

CentOS 7

Step 1: First, update the system and install the EPEL repository.

yum update
yum install epel-release

Step 2: Next, install Fail2Ban.

yum install fail2ban

Step 3: Finally, start, then enable Fail2Ban.

systemctl start fail2ban
systemctl enable fail2ban

Ubuntu/Debian

Step 1: First, update the system.

apt-get update
apt-get upgrade -y

Step 2: Next, install Fail2ban.

apt-get install fail2ban

(Ubuntu Only)

Step 3: Finally, you will need to allow SSH access through UFW. Then enable the firewall:

ufw allow ssh
ufw enable

Fedora

Step 1: First, update the system.

dnf update

Step 2: Next, install Fail2ban.

dnf install fail2ban

Step 3: Finally, start, then enable Fail2Ban.

systemctl start fail2ban
systemctl enable fail2ban

Create .local Files:

Step 1: Create a copy of fail2ban.conf named fail2ban.local.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

You have now made a copy of the default configuration profile for Fail2ban. Fail2Ban will use the settings in fail2ban.local over the settings in fail2ban.conf, and fail2ban.conf should remain untouched.

Step 2: Create a copy of jail.conf named jail. local.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Similarly, Fail2Ban will use the settings in jail. Local over the settings in jail. Conf, and jail. Conf should remain untouched.

Configure .local File Settings

fail2ban.local: Within fail2ban.local, you have the option to re-define values for the following:

• log-level
  • Value can be:
    • CRITICAL
    • ERROR
    • WARNING
    • INFO
    • DEBUG
      • DEBUG is not recommended – it might cause fail2ban to fall into an infinite loop constantly feeding itself with non-informative lines.
• logtartget
  • Value can be a file, SYSLOG, STDERR or STDOUT.
  • Only one log target can be specified.
  • Default = /var/log/fail2ban.log
• socket
  • This is used to communicate with the fail2ban daemon. Removing this file will make communicating with the fail2ban server impossible.
  • Value can be a file.
  • Default = /var/run/fail2ban/fail2ban.sock
• pidfile
  • This is used to store the process ID of the fail2ban server.
  • Default = /var/run/fail2ban/fail2ban.pid
• dbfile
  • This is used to store the fail2ban persistent data.
  • Value can be a file or ": memory."
  • Default = /var/lib/fail2ban/fail2ban.sqlite3
  • :memory: will result in the database being stored in memory, so the data is lost when fail2ban is stopped.
• dbpurgeage
  • This determines the age at which bans will be purged from the database.
  • Default = 1d  (24 hours)
• syslogsocket (*Only used when log target is SYSLOG)
  • Value can be "auto" or a file.
  • Auto uses the platform. System () to determine predefined paths

jail.  Local: Within jail.  Local definitions under [DEFAULT] will define that option for every jail. Re-defining these options within each jail (i.e. [sshd]) will override the definition under [DEFAULT].

This means that the [apache-auth] jail can use the [DEFAULT] bantime, find time, and maxretry, while each of these can be re-defined under the [sshd] jail.

*Important note: By default, the enabled option under [DEFAULT] is set to false. This means all jails are disabled by default. Jails should be individually enabled by defining the enabled option in the specific jail:

enabled = true