Securing your server with Fail2ban

‘With great power comes great responsibility’; this applies to a great deal of things in life, not least maintaining your server security. Security plays a key role in keeping unwanted third parties from accessing servers. Criminals have many motives for their attacks, and every successful breach presents a risk to the server operator.

So what is Fail2Ban?

Written in the programming language Python, the security framework Fail2ban is a server module that can be used on all Linux and POSIX systems with firewalls or packet filters. Tucked away in the server’s log files, Fail2ban detects suspicious IP addresses (e.g. ones with multiple failed log-in attempts). Once a certain number of failed attempts is reached, the suspicious address is automatically blocked for a predetermined period of time. Fail2Ban administrators can also receive notices of the IP addresses via e-mail.

By default, Fail2Ban comes with a range of filters for Apache, Postfix, or Courier; these recognize certain strings in log files. These filters trigger actions, which are commands that are executed at a predetermined point in time. The combination of a filter and an action, which can cause Fail2ban to block an IP address, is known as a jail. With Fail2ban, these jails can be programmed for any software that creates log files. Because Fail2ban is made up of an open source framework with a GPL2 license, both its use and extensions remain entirely free of charge.

Fail2ban: installation and configuration

Before installation, ensure that Python (at least version 2.4) is installed on your system. It’s also worthwhile to have the firewall configuration tools itables, Shorewall, and TCP Wrappers before getting started. The following step-by-step guide lays out how to set up and use Fail2ban on Debian or Ubuntu:

  1. Start the installation process with the command:

    sudo apt-get install fail2ban  

  2. After installation is complete, locate the framework in the directory /etc/fail2ban. To be on the safe side, use the following command to copy the configuration file, jail.conf; this protects your own settings from updates:

    cd /etc/fail2ban
    sudo cp jail.conf jail.local

  3. Start Fail2ban with the following command:

    sudo service fail2ban start

  4. In the configuration file, you can activate or deactivate pre-formulated rules, including jails, and customize their parameters. It’s also possible to add your own jail. The following jail parameters can be configured:

    enabled: activated (true) or deactivated (false) the rule
    filter: name of the filter from the file /etc/fail2ban/filter.d
    port: specify port (z.B. SSH, HTTP, HTTPS)
    logpath: path to log file to be read
    maxretry: maximum number of failed attempts
    findtime: time period allotted for problematic IPs to be searched for (in seconds)
    bantime: time period for which a given IP can be blocked (-1: permanent)

  5. Once changes have been made to the parameters, reload Fail2ban:

    sudo service fail2ban reload

  6. Fail2ban then saves the evaluation results in a separate log file that can be accessed as follows:

    tail -100f /var/log/fail2ban.log

  7. Finally, the security framework can be closed by entering:

    sudo service fail2ban stop

Also effective against bots and scripts

Because Fail2ban can be used wherever log files can be read with filters, users have access to numerous applications for this prevention framework. A popular example of this is the WordPress plugin, Antispam Bee, which is able to identify comments on WordPress blogs as Spam. The option “Mark as Spam, do not delete” labels Spam posts with the error code 403. IP addresses, post and error sequences then appear in the WordPress log file (access log). By using a jail that scans the log entries after the error code, Spam can be intercepted at the server level.

Not only does Fail2ban protect WordPress from Spam and other hacker attacks, it also protects against unauthorized log-ins. With the help of the extension, failed log-ins can be answered by printing the status code 403. This is enough to stop some bots and scripts and abruptly end their activities. With programmed Fail2ban rules, the extension also enables the tried and tested blocking procedure.

Fail2ban: a flexible and versatile security framework

In the battle against bots, scripts, and other hacker attacks, Fail2ban provides server operators with a flexible and effective form of protection. This framework lets users size up suspicious log files and subsequently ban the respective IP address on a temporary or permanent basis. Users can also determine which services Fail2ban inspects as well as the parameters that should be applied during the inspection. IP address can be barred from the search and blocked IPs can be unblocked.

Fail2ban is no substitute for tried-and-true security precautions, like security software, a good back up structure, and encryption protection. But if properly configured, it nicely complements other server security efforts. Let it be clear: individual components can only provide comprehensive protection against attacks when used as port of a broader security scheme.