Fail2ban

To install and configure Fail2ban, you can follow these general steps:

1. Update your system

   Ensure your system is up to date by running the following commands:

   sudo apt update
   sudo apt upgrade

2. Install Fail2ban

   Use the package manager of your distribution to install Fail2ban.

   For Ubuntu or Debian-based systems, run:

   sudo apt install fail2ban

3. Configure Fail2ban

   The main configuration file for Fail2ban is typically located at /etc/fail2ban/jail.conf. However, it's recommended to create an override configuration file to make future updates easier. Run the following command to create the override file:

   sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

4. Edit the configuration file

   Open the jail.local file in a text editor:

   sudo nano /etc/fail2ban/jail.local

   In this file, you can define custom jails (rules) and configure their behavior. Here's an example of a basic configuration for SSH protection:

   [sshd]
   enabled = true
   port = ssh
   filter = sshd
   logpath = /var/log/auth.log
   maxretry = 3
   findtime = 600
   bantime = 3600

   In this file, you'll find various configuration options. Some important options to consider are:

   • enabled: Set to true to enable the jail.
   • port: The service's port you want to protect.
   • filter: The name of the filter to use (usually corresponds to the service, e.g., sshd for SSH).
   • logpath: The log file Fail2ban should monitor.
   • bantime: The duration in seconds for which an IP address is banned (default is 10 minutes).
   • findtime: The time frame in seconds during which repeated failed attempts are considered for banning.
   • maxretry: The number of failed attempts allowed before banning an IP.
   • destemail: The email address where notifications will be sent.
   • action: The action to be taken when a rule is triggered (e.g., banning the IP, sending an email).

   Adjust these options based on your needs. You can also enable/disable specific jail sections depending on which services you want to protect.

   You can add more jails for other services you want to protect, such as Apache, Nginx, or any other application running on your server.

5. Create Custom Filters (if necessary)

   Filters define patterns Fail2ban looks for in log files. Default filters are located in /etc/fail2ban/filter.d/. If you need to create custom filters, you can do so by creating .conf files in this directory.

6. Enable and start Fail2ban

   Once the configuration is complete, enable and start the Fail2ban service:

   sudo systemctl enable fail2ban
   sudo systemctl start fail2ban

   Fail2ban should now be running and actively monitoring log files for suspicious activity.

7. Check Fail2ban status

   To check the status of Fail2ban and view any banned IP addresses, use the following command:

   sudo fail2ban-client status

   This will display information about the active jails and any banned IPs.

   To view detailed information about a specific jail:

   sudo fail2ban-client status <jail-name>