Having a web server where your main applications are run carries with it a great responsibility. Or even if a website or other services are hosted on that server. Therefore, it is necessary to take many security measures to protect the server from intruders. Some of these security policies are difficult to implement and others very simple. With this in mind, today I will teach you how to secure a web server using Fail2ban.
Fail2ban is an application developed in Python that works as an intrusion prevention system. The application watches the number of times you try to access service within the web server and blocks the IP address from where you are making the alleged attack. For example, to access many web servers is used ssh, so this is one of the most attacked services. Then it becomes necessary to further protect that service.
In addition, Fail2ban also protects other important services such as FTP, Apache, courier among others.
So, let’s install and configure it on Ubuntu 18.04.
1. Upgrade the system
Not only is using Fail2ban a good way to protect your server, but it’s also a good way to keep your system up to date. So, run:
:~$ sudo apt update && sudo apt upgrade
Now your upgraded system has the security patches properly installed and working.
2. Install Fail2ban on Ubuntu 18.04
The fastest and easiest way to install Fail2ban is to use the official Ubuntu repositories. So it all comes down to this command:
:~$ sudo apt install fail2ban
Once the process is finished, check the installed version.
:~$ fail2ban-server --version
Finally, start and enable the service to start with the system.
It is also a good idea to check the service status.
:~$ sudo systemctl enable fail2ban :~$ sudo systemctl start fail2ban :~$ sudo systemctl status fail2ban
So, that’s it. Let’s configure it.
3. Secure a web server with Fail2ban
The configuration of Fail2ban is really simple and can be found in the text file called jail.conf located in /etc/fail2ban.
You can use this file or create a new one.
So, back up the original file.
:~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak
Next, open the file, delete everything and just add the following:
:~$ sudo rm /etc/fail2ban/jail.conf && sudo nano /etc/fail2ban/jail.conf
[DEFINITION] loglevel = 3 logtarget = /var/log/fail2ban.log socket = /var/run/fail2ban/fail2ban.sock [DEFAULT] ignoreip = 127.0.0.1 192.168.0.50 bantime = 600 findtime = 600 maxretry = 3 backend = auto # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] Â [ssh-iptables] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 3
I’ll explain briefly the components of the file:
- ignoreip: It will never ban or block connections from those IP addresses. It is convenient to add your public IP address.
- bantime: The duration of the ban expressed in seconds. 600 = 10 minutes.
- Maxretry: Maximum permitted attempts.
- Action: what the program will do to secure a web server.
Restart the service:
:~$ sudo systemctl restart fail2ban
4. Final configurations
You can also check the Fail2ban log.
:~# cat /var/log/fail2ban.log
Now, when somebody fails the authentication three times will be banned.
Conclusion
Protecting your server from a brute force attack is possible with Fail2ban. The best of all is that it is a very simple process and very useful for everything that can avoid us.
So, share this post with your friends.
