Article overview

Help article

I'd like to install Fail2ban

Fail2ban protects your VPS by banning IPs from which attempts are made to enter your VPS. Fail2ban scans the log files from your VPS to determine which IPs are banned (e.g., /var/log/apache/error_log). It scans for too many wrong password attempts, searches for exploits, etcetera.

In addition, it is also possible to automatically send a report to yourself and the owner of the attacking IP. Fail2ban comes with filters for various services (Apache, Courier, SSH, etcetera).

Execute the commands in this article as a root user, or user with sudo rights


Installing Fail2ban

CentOS7

Step 1

First, update your VPS:

yum -y update

 

Step 2

Fail2ban is not included in the official CentOS package repository. It is included in Extra Packages for Enterprise Linux (EPEL). Therefore, install the latest EPEL release first.

yum -y install epel-release

 

Step 3

 

Install Fail2ban with the command:

yum -y install fail2ban

 

Step 4

Then you ensure that Fail2ban automatically starts with your VPS and you enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.

Ubuntu

Step 1

Update your VPS first:

apt-get update

 

Step 2

Unlike CentOS, Fail2ban is included by default in the official Ubuntu package repository. You install Fail2ban with the command:

apt-get install fail2ban

Permission will be requested twice. Click 'y'> 'Enter' both times to continue.



Step 3

Empty your repository cache with the command:

apt-get clean

 

Step 4

 

Then you ensure that Fail2ban automatically starts with your VPS and you enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.

Debian

Step 1

Update your VPS first:

apt-get update

 

Step 2

Unlike CentOS, Fail2ban is included by default in the official Debian package repository. You install Fail2ban with the command:

apt-get install fail2ban

Permission will be requested once. Click 'y'> 'Enter' to continue.


 

Step 3

Empty your repository cache with the command:

apt-get clean

 

Step 4

Then you ensure that Fail2ban automatically starts with your VPS and you enable Fail2ban with the following commands:

systemctl enable fail2ban
systemctl start fail2ban

Continue with the configuration of Fail2ban.


Configuring Fail2ban

We recommend making some adjustments in the configuration of Fail2ban. We use the file /etc/fail2ban/jail.local. By default, Fail2ban uses /etc/fail2ban/jail.conf but it can be overwritten with Fail2ban updates. As is the case with jail.local. In addition, the configuration of jail.local takes precedence over the configuration of jail.conf.

Only use parts of the configuration below that apply to your VPS! If you do not use Exim, do not add that part. The same applies to the Postfix part. You only use the SASL part if you use our mail service.

 

Step 1

First create the jail.local file:

nano /etc/fail2ban/jail.local

 

Step 2

Add the following code and adjust the values according to your needs. An explanation of the options can be found under the code (tip: use Putty and copy-paste the content below).

Adjust the data below (sender, destemail and ignoreip) to your own data and only use the jails of software that you use on your VPS (e.g. Exim or Postfix, but not both.) You can check which one you use on your VPS with the command systemctl status exim / postfix).

Do you use our VPS mail service? Then add the part under '[sasl]' and take a look at step 5 below.

[DEFAULT]
# Ban for X amount of time
bantime = 604800
findtime = 3600
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = firewallcmd-ipset
# banaction for firewalld, for iptables, see the comments in https://www.transip.eu/knowledgebase/entry/596
maxretry = 5
ignoreip = youripaddress

[sshd]
enabled = true
port = ssh
# replace ssh by your SSH port number.
[exim]
enabled = true
filter = exim_auth
logpath = /var/log/exim/mainlog
# Using cPanel? replace the line above with: logpath = /var/log/exim_mainlog
[postfix]
enabled = true
port = smtp, ssmtp
filter = postfix
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = /var/log/maillog

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/maillog

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/maillog
Explanation of Fail2Ban jail.local configuration

Fail2ban uses so-called 'Jails'. A jail can be viewed as the configuration for a specific piece of software on your VPS in which you define things such as which service and port is used, and which log file is scanned by Fail2ban. Above, for example, the part under [Exim] is a jail.


[Default]

  • bantime: A bantime of 60 is 1 minute, 3600 1 hour, 86400 1 day and 604800 1 week, etcetera.
  • findtime: This defines how far in the past Fail2ban checks your log files. This is 600 (10 minutes) by default. If an IP performs one attack every 10 minutes, Fail2ban would not consider this an attack because action is only take in case of five attacks (see maxretry) within 10 minutes.
  • sender (optional): The email address that sends notifications of Fail2ban actions to the attacker. Configuring an outgoing mail server and mail address on your VPS that you can use for this is beyond the scope of this manual.
  • destemail (optional): Your own email address where Fail2ban notifications are sent to. Configuring an outgoing mail server and mail address on your VPS that you can use for this is beyond the scope of this manual.
  • action (optional): The default option %(action_)s bans the IP of the attacker. In addition, %(action_mwl)s sends an email notification including WHOIS data and logfile data.
  • banaction: banaction indicates which firewall you use. In CentOS, for example, this is firewalld. You can specify in jail.local firewalld or iptables as follows:
    • firewalld: banaction = firewallcmd-ipset
    • iptables: banaction = iptables-multiport
  • maxretry: Here you can indicate the maximum number of attempts possible (e.g. incorrect login attempts) before the action mentioned under 'action' is executed.
  • sshd enabled: This monitors ssh connection attempts and bans IPs if they make more attempts than defined under maxretry.
  • ignoreip: Enter your own IP here. If you forget your password, your IP will not be banned immediately after the number of attempts under 'maxretry'.


[SSHD] (SSH server)

  • enabled: enables the security of your SSH(D) connection.
  • port: Here you specify which port is protected. With the 'ssh' value you tell Fail2ban to use the set SSH port.


[exim] (outgoing mail)

  • enabled: enables the security of your exim connection.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • failregex: These are error messages the log defined under 'logpath' is searched for.
  • logpath: The log file Fail2ban searches.


[postfix] (outgoing mail)

  • enabled: enables the security of your exim connection.
  • port: Here you specify which port is protected. With the ‘smtp,ssmtp’ value you tell Fail2ban to use the set SMTP port.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • failregex: These are error messages the log defined under 'logpath' is searched for.
  • logpath: The log file Fail2ban searches.


[dovecot] (incoming mail)

  • enabled: enables the security of your exim connection.
  • port: Here you specify which port is protected. With the 'pop3, pop3s, imap, imaps' value you tell Fail2ban to use the set SSH port.
  • filter: Indicates which filter is used. Fail2ban comes with a number of filters that are included in /etc/fail2ban/filter.d/
  • logpath: The log file Fail2ban searches.
     

[SASL] (for using a relay, such as our VPS-mailservice)

  • enabled: Enables the security for your mail server's connection.
  • port: Indicates which port is secured. Using the value 'pop3, pop3s, imap, imaps' Fail2ban will use the configured smtp, pop3- and imap-ports.
  • filter: Indicates which filter is used. Fail2Ban comes with a set of filters which can be found in /etc/fail2ban/filter.d/.
  • logpath: The log file checked by Fail2ban.

 

Step 3

If you use Exim (e.g. with our DirectAdmin and cPanel images), create another configuration file for exim_auth. If not, continue to step 5.

nano /etc/fail2ban/filter.d/exim_auth.conf

 

Step 4

Add the following content to the file and save the changes by pressing ctrl + x > y > enter successively:

# Fail2Ban configuration file
#
# $Revision$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \[<HOST>\]: 535 Incorrect authentication data

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Step 5

If you use the VPS mailservice, create another configuration file for SASL jail. If not, continue to step 7.

nano /etc/fail2ban/filter.d/sasl.conf

 

Step 6

Add the following content to the file and save the changes by pressing ctrl + x > y > enter successively:

# Fail2Ban configuration file
#
# $Revision$

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Step 7

Restart Fail2ban to process the changes:

systemctl restart fail2ban

Advanced / optional: increasing Fail2ban ban time

To prevent Fail2ban from acting very fanatically and permanently blocking a legitimate user who might not remember his password, it is possible to alternatively set to first ban an hour, then a day, a week, etcetera.

 

Step 1

First create the file /etc/fail2ban/filter.d/f2b-repeat.conf:

nano /etc/fail2ban/filter.d/f2b-repeat.conf

 

Step 2

Add the following content:

[INCLUDES]
before = common.conf
[DEFINITION]
failregex = \]\s+ban\s+<HOST>
ignoreregex = \[f2b-repeat.*\]\s+ban\s+<HOST>

 

Step 3

In your jail.local file, replace the part under '[Default]' and in front of '[SSHD]' by the following:

[DEFAULT]
# Ban for X amount of time
bantime = 3600
findtime = 86400
sender = fail2ban@example.com
destemail = admin@example.com
action = %(action_mwl)s
banaction = firewallcmd-ipset
maxretry = 5
ignoreip = youripaddress

[f2b-repeat2]
enabled = true
filter = f2b-repeat
bantime = 86400
findtime = 604800
logpath = /var/log/fail2ban.log
maxretry = 3

[f2b-repeat3] 
enabled = true 
filter = f2b-repeat 
bantime = 604800
findtime = 2592000 
logpath = /var/log/fail2ban.log 
maxretry = 3 

[f2b-repeat4] 
enabled = true 
filter = f2b-repeat 
bantime = 2592000 
findtime = 15552000 
logpath = /var/log/fail2ban.log 
maxretry = 5

You increase the findtime so Fail2ban looks further at new attempts. This way you ensure that Fail2ban recognizes repeating visitors, but also checks them more and more.


 

Step 4

If you specify the directory of the Fail2ban log file as seen above, Fail2ban will not start. This can be solved by first creating the Fail2ban.log file:

echo " " >> /var/log/fail2ban.conf

 

Step 5

Restart Fail2ban to process the changes:

systemctl restart fail2ban

Advanced / optional: extra filters / jails

Fail2ban comes with a number of filters / jails that you can find in /etc/fail2ban/filter.d/:

 

Step 1

View the standard filters / jails with:

ls /etc/fail2ban/filter.d/

You will see an overview as below:

fail2ban jails

Choose the name of the filter you want to use, for example apache-auth.conf


 

Step 2

Open your jail:

nano /etc/fail2ban/jail.local

 

Step 3

 

You now add the filter jail using the following syntax:

[jailname]
enabled = true
filter = jailname
logpath = /var/log/yourlogfile
  • [jailname]: Replace this name with a name of your choice so you can easily recognize it if you check the status of Fail2ban.
  • enabled: Always must be true, otherwise your jail is disabled.
  • filter: Enter the name of the jail you have chosen here. For example, if you chose apache-auth.conf during step 1, enter apache-auth here.
  • logpath: Here you specify which file Fail2ban scans to search for attacks on your VPS.

Additional tips and commands

You check the status of Fail2ban with the following command:

fail2ban-client status

You can check the logs of Fail2ban with the following command:

nano /var/log/fail2ban.log

If you want to verify if Fail2ban is still running, use:

systemctl status fail2ban

After a change you restart Fail2ban with the following command:

systemctl restart fail2ban

 

The installation and configuration of Fail2ban on your VPS is complete. Your VPS is now protected against bruteforce attacks!

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

 

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us