Article overview

Help article

Fail2Ban bruteforce protection

Fail2ban protects your VPS by banning IPs from which attempts are made to enter your VPS. Fail2Ban scans log files to determine which IPs are performing brute force attacks and bans them. (e.g., /var/log/apache/error_log). It scans for too many wrong password attempts, searches for exploits, etcetera.

In addition, it is also possible to automatically send a report to yourself and the owner of the attacking IP. Fail2ban comes with filters for various services (Apache, Courier, SSH, etcetera).

Execute the commands in this article as a root user, or user with sudo rights


Installing Fail2ban

AlmaLinux 8

Step 1

First, update your VPS:

sudo dnf -y update

 

Step 2

Fail2ban is not included in the official CentOS package repository. It is included in Extra Packages for Enterprise Linux (EPEL). Therefore, install the latest EPEL release first.

sudo dnf -y install epel-release

 

Step 3

Install Fail2ban with the command:

sudo dnf -y install fail2ban

 

Step 4

Next, ensure that Fail2ban automatically starts with your VPS and enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.

CentOS

Step 1

First, update your VPS:

yum -y update

 

Step 2

Fail2ban is not included in the official CentOS package repository. It is included in Extra Packages for Enterprise Linux (EPEL). Therefore, install the latest EPEL release first.

yum -y install epel-release

 

Step 3

Install Fail2ban with the command:

yum -y install fail2ban

 

Step 4

Ensure that Fail2ban automatically starts with your VPS and enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.

Ubuntu

Step 1

Update your VPS first:

apt-get update

 

Step 2

Unlike CentOS, Fail2ban is included by default in the official Ubuntu package repository. You install Fail2ban with the command:

apt-get install fail2ban

Permission will be requested twice. Click 'y'> 'Enter' both times to continue.



Step 3

Empty your repository cache with the command:

apt-get clean

 

Step 4

Then you ensure that Fail2ban automatically starts with your VPS and you enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.

Debian

Step 1

Update your VPS first:

apt-get update

 

Step 2

Unlike CentOS, Fail2ban is included by default in the official Debian package repository. You install Fail2ban with the command:

apt-get install fail2ban

Permission will be requested once. Click 'y'> 'Enter' to continue.


 

Step 3

Empty your repository cache with the command:

apt-get clean

 

Step 4

Then you ensure that Fail2ban automatically starts with your VPS and you enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.


Configuring Fail2ban

We recommend making some adjustments in the configuration of Fail2ban. We use the file /etc/fail2ban/jail.local. By default, Fail2ban uses /etc/fail2ban/jail.conf but it can be overwritten with Fail2ban updates. As is the case with jail.local. In addition, the configuration of jail.local takes precedence over the configuration of jail.conf.

Only use parts of the configuration below that apply to your VPS! If you do not use Exim, do not add that part. The same applies to the Postfix part. You only use the SASL part if you use our mail service.

 

Step 1

First create the jail.local file:

nano /etc/fail2ban/jail.local

 

Step 2

Add the following code and adjust the values according to your needs. An explanation of the options can be found under the code (tip: use Putty and copy-paste the content below). Pay extra attention to the banaction which may differ per operating system.

Adjust the data below (sender, destemail and ignoreip) to your own data and only use the jails of software that you use on your VPS (e.g. Exim or Postfix, but not both.) You can check which one you use on your VPS with the command systemctl status exim / postfix).

Do you use our VPS mail service? Then add the part under '[sasl]' and take a look at step 5 below.

[DEFAULT]
# Ban for X amount of time
bantime = 604800
findtime = 3600
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 5
ignoreip = youripaddress

[sshd]
enabled = true
port = ssh
# replace ssh by your SSH port number.

[exim]
enabled = true
filter = exim
logpath = /var/log/exim/mainlog
# Using cPanel? replace the line above with: logpath = /var/log/exim_mainlog

[postfix]
enabled = true
port = smtp, ssmtp
filter = postfix
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = /var/log/maillog

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/maillog
Explanation of Fail2Ban jail.local configuration

Fail2ban uses so-called 'Jails'. A jail can be viewed as the configuration for a specific piece of software on your VPS in which you define things such as which service and port is used, and which log file is scanned by Fail2ban. Above, for example, the part under [Exim] is a jail.


[Default]

  • bantime: A bantime of 60 is 1 minute, 3600 1 hour, 86400 1 day and 604800 1 week, etcetera.
  • findtime: This defines how far in the past Fail2ban checks your log files. This is 600 (10 minutes) by default. If an IP performs one attack every 10 minutes, Fail2ban would not consider this an attack because action is only take in case of five attacks (see maxretry) within 10 minutes.
  • sender (optional): The email address that sends notifications of Fail2ban actions to the attacker. Configuring an outgoing mail server and mail address on your VPS that you can use for this is beyond the scope of this manual.
  • destemail (optional): Your own email address where Fail2ban notifications are sent to. Configuring an outgoing mail server and mail address on your VPS that you can use for this is beyond the scope of this manual.
  • action (optional): The default option %(action_)s bans the IP of the attacker. In addition, %(action_mwl)s sends an email notification including WHOIS data and logfile data.
  • banaction: banaction indicates which firewall you use. In Ubuntu, for example, this is UFW. You can specify in jail.local firewalld or iptables as follows:
    • firewalld: banaction = firewallcmd-ipset
    • iptables: banaction = iptables-multiport
    • ufw: banaction = ufw
  • maxretry: Here you can indicate the maximum number of attempts possible (e.g. incorrect login attempts) before the action mentioned under 'action' is executed. We recommend allowing at most 3 failed logins per hour (i.e. with a findtime of 3600), or at most 5 per 1.5-2 hours as many bots will attack around that frequency.
  • sshd enabled: This monitors ssh connection attempts and bans IPs if they make more attempts than defined under maxretry.
  • ignoreip: Enter your own IP here. If you forget your password, your IP will not be banned immediately after the number of attempts under 'maxretry'.


[SSHD] (SSH server)

  • enabled: enables the security of your SSH(D) connection.
  • port: Here you specify which port is protected. With the 'ssh' value you tell Fail2ban to use the set SSH port.


[exim] (outgoing mail)

  • enabled: enables the security of your exim connection.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • failregex: These are error messages the log defined under 'logpath' is searched for.
  • logpath: The log file Fail2ban searches.


[postfix] (outgoing mail)

  • enabled: enables the security of your exim connection.
  • port: Here you specify which port is protected. With the ‘smtp,ssmtp’ value you tell Fail2ban to use the set SMTP port.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • failregex: These are error messages the log defined under 'logpath' is searched for.
  • logpath: The log file Fail2ban searches.


[dovecot] (incoming mail)

  • enabled: enables the security of your exim connection.
  • port: Here you specify which port is protected. With the 'pop3, pop3s, imap, imaps' value you tell Fail2ban to use the set SSH port.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • logpath: The log file Fail2ban searches.
     

[SASL] (for using a relay, such as our VPS-mailservice)

  • enabled: Enables the security for your mail server's connection.
  • port: Indicates which port is secured. Using the value 'pop3, pop3s, imap, imaps' Fail2ban will use the configured smtp, pop3- and imap-ports.
  • filter: Indicates which filter is used. Fail2Ban comes with a set of filters which can be found in /etc/fail2ban/filter.d/.
  • logpath: The log file checked by Fail2ban.

 

Step 3

If you use Exim (e.g. with our DirectAdmin and cPanel images), expand the existing configuration file called exim.conf. If you don't use exim, continue to step 5.

nano /etc/fail2ban/filter.d/exim.conf

 

Step 4

Add the following content to the file under the existing list of failregex and save the changes by pressing ctrl + x > y > enter successively:

\[<HOST>\]: 535 Incorrect authentication data

The definition section should then look something like this:

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
            ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
            \[<HOST>\]: 535 Incorrect authentication data

ignoreregex =

Step 5

If you use the VPS mailservice, create another configuration file for SASL jail. If not, continue to step 7.

nano /etc/fail2ban/filter.d/sasl.conf

 

Step 6

Add the following content to the file and save the changes by pressing ctrl + x > y > enter successively:

# Fail2Ban configuration file
#
# $Revision$

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Step 7

Restart Fail2ban to process the changes:

systemctl restart fail2ban

Advanced / optional: increasing Fail2ban ban time

To prevent Fail2ban from acting very fanatically and permanently blocking a legitimate user who might not remember his password, it is possible to alternatively set to first ban an hour, then a day, a week, etcetera.

 

Step 1

First create the file /etc/fail2ban/filter.d/f2b-repeat.conf:

nano /etc/fail2ban/filter.d/f2b-repeat.conf

 

Step 2

Add the following content:

[INCLUDES]
before = common.conf
[Definition]
failregex = \]\s+ban\s+<HOST>
ignoreregex = \[f2b-repeat.*\]\s+ban\s+<HOST>

 

Step 3

In your jail.local file, replace the part under '[Default]' and in front of '[SSHD]' by the following:

[DEFAULT]
# Ban for X amount of time
bantime = 3600
findtime = 86400
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = firewallcmd-ipset
maxretry = 5
ignoreip = youripaddress

[f2b-repeat2]
enabled = true
filter = f2b-repeat
bantime = 86400
findtime = 604800
logpath = /var/log/fail2ban.log
maxretry = 3

[f2b-repeat3] 
enabled = true 
filter = f2b-repeat 
bantime = 604800
findtime = 2592000 
logpath = /var/log/fail2ban.log 
maxretry = 3 

[f2b-repeat4] 
enabled = true 
filter = f2b-repeat 
bantime = 2592000 
findtime = 15552000 
logpath = /var/log/fail2ban.log 
maxretry = 5

You increase the findtime so Fail2ban looks further at new attempts. This way you ensure that Fail2ban recognizes repeating visitors, but also checks them more and more.


 

Step 4

If you specify the directory of the Fail2ban log file as seen above, Fail2ban will not start. This can be solved by first creating the Fail2ban.log file:

sudo touch /var/log/fail2ban.log

 

Step 5

Restart Fail2ban to process the changes:

systemctl restart fail2ban

Advanced / optional: extra filters / jails

Fail2ban comes with a number of filters / jails that you can find in /etc/fail2ban/filter.d/:

 

Step 1

View the standard filters / jails with:

ls /etc/fail2ban/filter.d/

You will see an overview as below:

fail2ban jails

Choose the name of the filter you want to use, for example apache-auth.conf


 

Step 2

Open your jail:

nano /etc/fail2ban/jail.local

 

Step 3

 

You now add the filter jail using the following syntax:

[jailname]
enabled = true
filter = jailname
logpath = /var/log/yourlogfile
  • [jailname]: Replace this name with a name of your choice so you can easily recognize it if you check the status of Fail2ban.
  • enabled: Always must be true, otherwise your jail is disabled.
  • filter: Enter the name of the jail you have chosen here. For example, if you chose apache-auth.conf during step 1, enter apache-auth here.
  • logpath: Here you specify which file Fail2ban scans to search for attacks on your VPS.

Additional tips and commands

You check the status of Fail2ban with the following command:

fail2ban-client status

You can check the logs of Fail2ban with the following command:

nano /var/log/fail2ban.log

If you want to verify if Fail2ban is still running, use:

systemctl status fail2ban

After a change you restart Fail2ban with the following command:

systemctl restart fail2ban

Manual banning / unbanning

Manual banning

Should someone be very patient and attempt to log in once per hour, you also have an option to manually ban an IP. In order to do so, first pick one of the jails visible in the output of:

fail2ban-client status

Then use the command below to ban an IP, where you replace 'JAIL' with the chosen jail name and xxx.xxx.xxx.xxx by the attacker's IP address:

fail2ban-client -vvv set JAIL banip xxx.xxx.xxx.xxx

 

Manual unbanning

It can happen that someone gets banned by accident, for example after supplying a wrong SSH password several times (use the VPS console if you've banned yourself in this manner). In this scenario, you can use the following command to unban an IP address:

sudo fail2ban-client set JAIL unbanip xxx.xxx.xxx.xxx

Replace 'JAIL' with the name of the jail in which the IP address has been banned and xxx.xxx.xxx.xxx by the attacking IP address.

Are you uncertain in which jail the IP address is listed? Consult your fail2ban log, for example using the command:

sudo nano /var/log/fail2ban.log

Search for the specific IP address in the opened log file by pressing ctrl + w on your keyboard (this is the whereis function in nano) and then type the IP address you're searching for.


 

The installation and configuration of Fail2ban on your VPS is complete. Your VPS is now protected against bruteforce attacks!

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.