You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security/using-fail2ban-for-security.md
+49-45Lines changed: 49 additions & 45 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,18 +2,18 @@
2
2
author:
3
3
name: Elle Krout
4
4
email: ekrout@linode.com
5
-
description: 'Use Fail2ban to block automated system attacks and further harden your server. Fail2ban monitors system logs for symptoms of an automated attack, bans the IP and alerts you of the attach through email.'
6
-
keywords: 'fail2ban'
5
+
description: 'Fail2ban monitors system logs for symptoms of an automated attack, bans the IP and alerts you of the attach through email. Use Fail2ban to thwart automated system attacks and further harden your server.'
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables, thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2ban will also alert you through email that an attack is occurring.
16
+
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Linode. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
17
17
18
18
![Using Fail2ban to secure your server](/docs/assets/fail2ban_tg.png"Using Fail2ban to secure your server")
19
19
@@ -27,7 +27,7 @@ Fail2ban is primarily focused on SSH attacks, although it can be further configu
27
27
>
28
28
>Fail2ban is intended to be used in conjunction with an already-hardened server and should not be used as a replacement for secure firewall rules.
29
29
30
-
## Installing Fail2ban
30
+
## 1) Install Fail2ban
31
31
32
32
Follow the [Getting Started](/docs/getting-started) guide to configure your basic server. You may also want to review the [Securing Your Server](/docs/security/securing-your-server) guide before beginning.
33
33
@@ -121,55 +121,59 @@ Follow the [Getting Started](/docs/getting-started) guide to configure your basi
121
121
ufw allow ssh
122
122
ufw enable
123
123
124
-
## Configuring Fail2ban
124
+
## 2) Configure Fail2ban
125
125
126
-
Fail2ban reads its configuration files so that all `.conf` files are read first and`.local` files override any settings. Because of this, all changes to the configuration are generally done in `.local` files, leaving the `.conf` files untouched.
126
+
Fail2ban reads `.conf`configuration files first, then`.local` files override any settings. Because of this, all changes to the configuration are generally done in `.local` files, leaving the `.conf` files untouched.
127
127
128
-
### fail2ban.local Configuration
128
+
### Configure fail2ban.local
129
129
130
-
1.The file `fail2ban.conf` contains the default configuration profile. The default settings will give you a sane and working setup so this is the best place to start. If you want to make any changes, it's best to do it in a separate file, `fail2ban.local`, which overrides `fail2ban.conf`. Rename a copy `fail2ban.conf` to `fail2ban.local`.
130
+
1.`fail2ban.conf` contains the default configuration profile. The default settings will give you a reasonable working setup. If you want to make any changes, it's best to do it in a separate file, `fail2ban.local`, which overrides `fail2ban.conf`. Rename a copy `fail2ban.conf` to `fail2ban.local`.
3. From here, you can opt to edit the definitions in `fail2ban.local` to match your desired configuration. The values that can be changed are:
134
+
2. From here, you can opt to edit the definitions in `fail2ban.local` to match your desired configuration. The values that can be changed are:
135
135
136
136
-`loglevel`: The level of detail that Fail2ban's logs provide can be set to 1 (error), 2 (warn), 3 (info), or 4 (debug).
137
-
-`logtarget`: Logs actions into a specific file. The default value of `/var/log/fail2ban.log` puts all logging into the defined file. Alternately, you can change the value to STDOUT, which will output any data; STDERR, which will output any errors; SYSLOG, which is message-based logging; and FILE, which outputs to a file.
137
+
-`logtarget`: Logs actions into a specific file. The default value of `/var/log/fail2ban.log` puts all logging into the defined file. Alternately, you can change the value to:
138
+
-`STDOUT`: output any data
139
+
-`STDERR`: output any errors
140
+
-`SYSLOG`: message-based logging
141
+
-`FILE`: output to a file
138
142
-`socket`: The location of the socket file.
139
143
-`pidfile`: The location of the PID file.
140
144
141
-
### jail.local Basic Configuration
145
+
##3) Configure jail.local Settings
142
146
143
-
1. The `jail.conf` file will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, it's recommended to create a `jail.local` for editing just like you did with `fail2ban.local`.
147
+
1. The `jail.conf` file will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS. All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, create a `jail.local` for editing:
2.**If using CentOS or Fedora** you will need to change the `backend` option in `jail.local` from *auto* to *systemd*. This is not necessary on Debian 8 or Ubuntu 16.04, even though both use systemd as well.
148
152
149
-
{: .file-excerpt}
150
-
/etc/fail2ban/jail.local
151
-
: ~~~ conf
152
-
# "backend" specifies the backend used to get files modification.
153
-
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
154
-
# This option can be overridden in each jail as well.
155
-
156
-
. . .
157
-
158
-
backend = systemd
159
-
~~~
153
+
{: .file-excerpt}
154
+
/etc/fail2ban/jail.local
155
+
: ~~~ conf
156
+
# "backend" specifies the backend used to get files modification.
157
+
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
158
+
# This option can be overridden in each jail as well.
159
+
160
+
. . .
161
+
162
+
backend = systemd
163
+
~~~
160
164
161
-
3.No jails are enabled by default in CentOS 7. For example, to enable the SSH daemon jail, uncomment the following lines in `jail.local:
165
+
No jails are enabled by default in CentOS 7. For example, to enable the SSH daemon jail, uncomment the following lines in `jail.local`:
162
166
163
-
{: .file-excerpt}
164
-
/etc/fail2ban/jail.local
165
-
: ~~~ conf
166
-
[sshd]
167
-
enabled = true
168
-
~~~
167
+
{: .file-excerpt}
168
+
/etc/fail2ban/jail.local
169
+
: ~~~ conf
170
+
[sshd]
171
+
enabled = true
172
+
~~~
169
173
170
-
#### IP Whitelisting
174
+
###Whitelist IP
171
175
172
-
Add any IPsto the `ignoreip` line that you wish Fail2ban to ignore. By default, this command will not ban the localhost. If you work from a single IP address often, it may be beneficial to add it to the ignore list:
176
+
To ignore specific IPs, add them to the `ignoreip` line. By default, this command will not ban the localhost. If you work from a single IP address often, it may be beneficial to add it to the ignore list:
173
177
174
178
{: .file-excerpt}
175
179
/etc/fail2ban/jail.local
@@ -182,13 +186,13 @@ Add any IPs to the `ignoreip` line that you wish Fail2ban to ignore. By default,
182
186
ignoreip = 127.0.0.1/8 123.45.67.89
183
187
~~~
184
188
185
-
If you wish to whitelist IPs only for certain jails, this can be done with the `fail2ban-client` command. Replace `JAIL` with the name of your fail, and `123.45.67.89` with the IP you wish to whitelist.
189
+
If you wish to whitelist IPs only for certain jails, this can be done with the `fail2ban-client` command. Replace `JAIL` with the name of your jail, and `123.45.67.89` with the IP you wish to whitelist.
186
190
187
191
fail2ban-client set JAIL addignoreip 123.45.67.89
188
192
189
-
####Ban Time and Retry Amount
193
+
### Ban Time and Retry Amount
190
194
191
-
The`bantime`, `findtime`, and `maxretry`then need to be set. These are the values that define the circumstances and the length of time of a ban.
195
+
Set`bantime`, `findtime`, and `maxretry` to define the circumstances and the length of time of a ban:
192
196
193
197
{: .file-excerpt}
194
198
/etc/fail2ban/jail.local
@@ -208,9 +212,9 @@ The `bantime`, `findtime`, and `maxretry` then need to be set. These are the val
208
212
209
213
-`maxretry`: How many attempts can be made to access the server from a single IP before a ban is imposed. The default is set to 3.
210
214
211
-
####Email Alerts
215
+
### Email Alerts
212
216
213
-
If you wish to receive email when Fail2ban is triggered, adjust the email settings:
217
+
To receive email when fail2ban is triggered, adjust the email settings:
214
218
215
219
-`destemail`: The email address where you would like to receive the emails.
216
220
@@ -224,7 +228,7 @@ If you wish to receive email when Fail2ban is triggered, adjust the email settin
224
228
225
229
You will also need to adjust the `action` setting, which defines what actions occur when the threshold for ban is met. The default, `%(action_)s`, only bans the user. `%(action_mw)s` will ban and send an email with a WhoIs report; while `%(action_mwl)s` will ban and send an email with the WhoIs report and all relevant lines in the log file. This can also be changed on a jail-specific basis.
226
230
227
-
### Jail Configuration
231
+
### Other Jail Configuration
228
232
229
233
Beyond the basic settings address above, `jail.local` also contains various jail configurations for a number of common services, including SSH. By default, only SSH is enabled.
230
234
@@ -255,11 +259,11 @@ An average jail configuration will resemble the following:
255
259
256
260
## Failregexs
257
261
258
-
Although Fail2ban comes with a number of filters for use, you may want to further customize these filters or create your own to suit your needs. Fail2ban uses *regular expressions* (*regex*) to parse log files, looking for instances of attempted break-ins and password failures. Fail2ban uses Python's regex extensions.
262
+
Although Fail2ban comes with a number of filters, you may want to further customize these filters or create your own to suit your needs. Fail2ban uses *regular expressions* (*regex*) to parse log files, looking for instances of attempted break-ins and password failures. Fail2ban uses Python's regex extensions.
259
263
260
-
The best way to understand how failregex works is to write one. Although we do not advise having Fail2ban monitor your Wordpress' `access.log` on heavily-trafficked websites due to CPU concerns, it provides an instance of an easy-to-understand log file that you can use to learn about the creation of any failregex.
264
+
The best way to understand how failregex works is to write one. Although we do not advise having Fail2ban monitor your Wordpress's`access.log` on heavily-trafficked websites due to CPU concerns, it provides an instance of an easy-to-understand log file that you can use to learn about the creation of any failregex.
261
265
262
-
### Writing the Regex
266
+
### Write a Regex for Fail2ban
263
267
264
268
1. Navigate to your website's `access.log` (generally located at `/var/www/example.com/logs/access.log`) and find a failed login attempt. It will resemble:
265
269
@@ -313,7 +317,7 @@ The best way to understand how failregex works is to write one. Although we do n
0 commit comments