How to Setup Fail2Ban

‘With great power comes great responsibility’; this applies to a great deal of things in life, not least maintaining your server security. Security plays a key role in keeping unwanted third parties from accessing servers. Criminals have many motives for their attacks, and every successful breach presents a risk to the server operator.

So what is Fail2Ban?

Written in the programming language Python, the security framework Fail2ban is a server module that can be used on all Linux and POSIX systems with firewalls or packet filters. Tucked away in the server’s log files, Fail2ban detects suspicious IP addresses (e.g. ones with multiple failed log-in attempts). Once a certain number of failed attempts is reached, the suspicious address is automatically blocked for a predetermined period of time. Fail2Ban administrators can also receive notices of the IP addresses via e-mail.

By default, Fail2Ban comes with a range of filters for Apache, Postfix, or the Courier mail server; these recognize certain strings in log files. These filters trigger actions, which are commands that are executed at a predetermined point in time. The combination of a filter and an action, which can cause Fail2ban to block an IP address, is known as a jail. With Fail2ban, these jails can be programmed for any software that creates log files. Because Fail2ban is made up of an open source framework with a GPL2 license, both its use and extensions remain entirely free of charge.

Fail2ban: installation and configuration

Before installation, ensure that Python (at least version 2.4) is installed on your system. It’s also worthwhile to have the firewall configuration tools itables, Shorewall, and TCP Wrappers before getting started. The following step-by-step guide lays out how to set up and use Fail2ban on Debian or Ubuntu:

  1. Start the installation process with the command:

    sudo apt-get install fail2ban  

  2. After installation is complete, locate the framework in the directory /etc/fail2ban. To be on the safe side, use the following command to copy the configuration file, jail.conf; this protects your own settings from updates:

    cd /etc/fail2ban
    sudo cp jail.conf jail.local

  3. Start Fail2ban with the following command:

    sudo service fail2ban start

  4. In the configuration file, you can activate or deactivate pre-formulated rules, including jails, and customize their parameters. It’s also possible to add your own jail. The following jail parameters can be configured:

    enabled: activated (true) or deactivated (false) the rule
    filter: name of the filter from the file /etc/fail2ban/filter.d
    port: specify port (z.B. SSH, HTTP, HTTPS)
    logpath: path to log file to be read
    maxretry: maximum number of failed attempts
    findtime: time period allotted for problematic IPs to be searched for (in seconds)
    bantime: time period for which a given IP can be blocked (-1: permanent)

  5. Once changes have been made to the parameters, reload Fail2ban:

    sudo service fail2ban reload

  6. Fail2ban then saves the evaluation results in a separate log file that can be accessed as follows:

    tail -100f /var/log/fail2ban.log

  7. Finally, the security framework can be closed by entering:

    sudo service fail2ban stop

Also effective against bots and scripts

Because Fail2ban can be used wherever log files can be read with filters, users have access to numerous applications for this prevention framework. A popular example of this is the WordPress plugin, Antispam Bee, which is able to identify comments on WordPress blogs as Spam. The option “Mark as Spam, do not delete” labels Spam posts with the error code 403. IP addresses, post and error sequences then appear in the WordPress log file (access log). By using a jail that scans the log entries after the error code, Spam can be intercepted at the server level.

Not only does Fail2ban protect WordPress from Spam and other hacker attacks, it also protects against unauthorized log-ins. With the help of the extension, failed log-ins can be answered by printing the status code 403. This is enough to stop some bots and scripts and abruptly end their activities. With programmed Fail2ban rules, the extension also enables the tried and tested blocking procedure.

Fail2ban - effective against bots and scripts

Fail2ban: a flexible and versatile security framework

In the battle against bots, scripts, and other hacker attacks, Fail2ban provides server operators with a flexible and effective form of protection. This framework lets users size up suspicious log files and subsequently ban the respective IP address on a temporary or permanent basis. Users can also determine which services Fail2ban inspects as well as the parameters that should be applied during the inspection. IP address can be barred from the search and blocked IPs can be unblocked.

Fail2ban is no substitute for tried-and-true security precautions, like security software, a good back up structure, and encryption protection. But if properly configured, it nicely complements other server security efforts. Let it be clear: individual components can only provide comprehensive protection against attacks when used as port of a broader security scheme.

Related articles

How to choose a strong password

How to choose a strong password

  • Security

It only takes a few seconds for a hacker to gain access to your private data without you having any idea. More often than not, a password is the only means of protection when logging into online services; and if it is too obvious, it will not prove too much of a challenge for criminals to crack. There are numerous options to increase password security.

How to choose a strong password
How to backup databases

How to backup databases

  • Security

Backing up your data is a popular option for securing your database. In order to create backup copies, you need additional hardware and to install a suitable backup structure. How do you secure your own network and web server against attacks and proceed to protect your databases?

How to backup databases
How to use SSH keys

How to use SSH keys

  • Security

Operating and managing a remote server located in a data center is often carried out by using a secure network connection provided by the SSH protocol. The necessary registration on the server is preceded by an authentication process. Usually this occurs in the form of the username and password. Alternative methods such as the public key authentication used by SSH, do have their advantages. But…

How to use SSH keys
How to secure a server

How to secure a server

  • Configuration

If you operate or rent your own server, it is your responsibility to protect it against failures and external access. You can immediately begin to set the foundation for this when configuring the server, if you have the necessary administrative rights. The correct settings can work wonders, especially with encrypted remote connections via SSH protocol, and greatly increase security.

How to secure a server
The Python logging module: How to locate script errors

The Python logging module: How to locate script errors

  • Web development

Python logging is a module in the Python library. Since it is integrated into the source code, developers can use several commands to carry out Python logging to file, i.e. create a log file and send notes to this file that are logged when an application runs. Python logging can be used, for example, for code debugging or error communication.

The Python logging module: How to locate script errors
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.