Minimal security for your VPS with Fail2Ban

Software Development8 years ago
News Posted on 3 Days ago

Minimal security for your VPS with Fail2Ban

If there’s one way that wireless technology has changed the way we work, it’s that will everyone is now connected [...]

VBy Vigny GHOTOU0 Comments0 Views

After months of hard work on your project, you're finally ready, ready to put it online: ready to share it with the world. To do this, you identify a provider, purchase a VPS, and host your project there to make it publicly accessible. However, being publicly accessible means it becomes visible to everyone, and not always well-intentioned people. This is why we're showing you how to configure minimal security on your VPS with Fail2Ban.

Fail2Ban

It's a tool that allows you to ban IP addresses that have suspicious interactions with your VPS. It analyzes log files (e.g., /var/log/apache/error_log) to identify any suspicious behavior and ban the IP address of the person responsible. This detection is configurable depending on what you're looking for: too many password failures, too many 404 requests on the web server, etc. Its configuration is done through filters, and it comes with some very useful ones upon installation (SSH, Apache, Mail, etc.).

As mentioned, Fail2Ban can, for example, reduce the risk of your password being broken by brute force, but it can't help you in cases where the password is easy to guess.

Installation and Configuration

Installation

In our example, we're using a VPS with Ubuntu 16.04: this is what we'll consider in the rest of our tutorial. Therefore, from now on, all commands entered will be Ubuntu commands.

Installation Command:

shell51 B

Installation is quite simple, as it's already present in the default Ubuntu repository. Now, let's do a sloppy configuration of Fail2Ban.

General Settings

Fail2Ban is primarily configured in the "jail.conf" file located in the /etc/fail2ban/ folder. As its name suggests, this file is where the jailing rules for suspicious events are configured.

This file contains the parameters that must be configured to achieve the desired effect. It includes settings such as the ban time, the action upon detection, and more.

IPs to Ignore

ini31 B

This is the list of IP addresses that should be ignored by Fail2Ban. You can pass a subnet, an IP address, or a hostname. You must use a space character as a separator, and any requests from them will be ignored.

Ban Time

ini22 B

This is the time (in seconds) an IP remains banned once it is jailed.

Detection Parameter

ini36 B

These two parameters configure the detection behavior. maxretry is the number of times after which an event should be repeated, and findtime is the time interval (in seconds) during which the event should be repeated.

Email Sending Settings

ini72 B

If you want to receive email alerts in case of detection, you must configure the following settings:

  • destemail: This is the email address of the person who should receive the alerts.
  • sendername: This is the name with which the email should be sent. expl: Hachther Security
  • mta: This is the service that will send the email: expl: sendmail, mail, ...

Action in case of detection

ini29 B

This is where you configure what should be done if an anomaly is detected. This parameter has three possible values:

  • action_: In this case, the IP address is simply banned.
  • action_mw: In this case, the IP address is banned and an email is sent according to the settings configured above. This email contains information about the owner of this IP address.
  • action_mwl: Here, the IP address is banned and an email is sent. But unlike the previous case, the email contains information about the owner of the IP address and the logs.

Now that the general configurations are complete, we can now move on to configuring the jails.

Jail Configuration

A jail is a configuration that allows you to tell Fail2Ban to monitor a specific service and take appropriate action in the event of suspicious behavior.

Jail configuration is still done in the same file as above (/etc/fail2ban/jail.conf): towards the end of the file, you should see "#JAILS". This is where the jail configuration begins.

Jail configuration is done as follows:

ini78 B

The port here represents the listening port and the logpath is the absolute path to the log file to be analyzed. All the parameters we previously discussed can be configured in a jail with different values ​​if you want specific behavior.

Once your jail is configured, simply restart the Fail2Ban service for it to take the updates into account.

shell29 B

Note: The jail for SSH account protection is enabled by default.

VPSFail2banLinuxSecurity
recent post
How to optimize your MongoDB cluster
PHP vs Python: whom to choose for web development
How to develop a Mautic plugin: MVC - Routes
How to install multiple odoo9 instances on a vps with nginx as reverse proxy?
Get notify by Telegram in case of error on your Django application
categories
Big Data1Business Intelligence1Open Source1Software Development9
popular tags
Big DataDjangoDjango DocsFail2banLinuxMauticMautic PluginMongo DBnginxOdooOpen SourcePHPPiwikPythonSecuritySpeedtestTelegramuWSGIVPS