Secure your server with Fail2ban (simple and effective)

What is Fail2ban ?

fail2ban locks Fail2ban is an open source intrusion prevention software tool that is used to protect your servers from brute-force attacks.

Brute force is a type of an attack where the malicious client tries to guess login info via dictionary or randomly-generated passphrases.

In our latest Seedbox version, we have Fail2ban pre-installed with our best practice rules to ensure good baseline protection from malicious attacks.

However, our configurations are just the tip of the finger when it comes to the abilities of this great application.

If you’re have joined RapidSeedbox before October 2016, chances you don’t have Fail2ban preinstalled on your machine.
In order to upgrade your Seedbox simply contact us via the live chat, or open a ticket in your client area.

In this article, we’ll dive deeper into our to better secure your SSH and Apache services, which are a usually the “public gateways” that attackers are commonly trying to find they way into.

What is the SSH?

SSH is a secure protocol for establishing remote connections between two hosts on unencrypted networks.By default, it operates on port 22.

The main advantage over all other protocols that are used for remote access is the way that SSH handle communication.

When the user tries to establish a connection to a server, ssh protocol sends a request to a server.

If everything is fine, the server sends a confirmation message.

After the client receives that message it sends another request and establishes a connection.

The Three-way handshake is another synonym for this kind of connection.

What makes SSH protocol interesting to the intruders, is a fact that compromising protocol will make the attacker an owner of the whole server. Because of the mentioned reasons, it is the essential to protect and tweak your SSH server with fail2ban.

What is the Apache?

Apache is a most popular HTTP service for delivering a web content.

Whenever you visit a webpage in your browser, a web server delivers that content to your browser.

Two most common ports are used for establishing HTTP connecting – port 80 and port 443.

The difference between mentioned ports is in protocols. A web content can be served via HTTP and HTTPS.
HTTPS is a secure version of an HTTP protocol, meaning that traffic between client and server is encrypted.

In our new template, our torrent clients for example ruTorrent is pre-configured to use HTTPS connection using a self-signed certificate.

1. Installing Fail2ban

Fail2ban is available by default in Ubuntu repository, so you can easily install it by running the following commands:

Enable the service to start during system boot:

Start the service:

2. Configure protection for Apache and SSH

The default configuration file of fail2ban is jail.conf located in /etc/fail2ban/ directory.

It contains the set of pre-configured rules for various services. So it is recommended that you not edit this file.

3. Secure Apache

You should create new configuration for Apache:

Paste the following rule set:

4. Secure SSH

You should create new configuration for OpenSSH service:

Add the following rules:

5. Starting Fail2ban

Once you are finished with configuration, save the files and restart fail2ban service:

You can verify the rules that were added by fail2Ban in iptables using the following command:

Output should look like this:

6. Verify your configurations

Once everything is up-to-date, you can verify your configurations as follows:

You should see the list of all enable jails:

Status:

If you want to see the status of specific jail, run the following command:

Output:

It is also possible to ban or unban any IP address. For example, if you want to ban an IP address 192.168.1.10 with apache jail, run:

To unban an IP address 192.168.1.10 with an apache jail:

7. Testing

Once everything is setup, it’s time to test our rules.

From another system, try to SSH into the fail2ban server with the following command:

Enter the wrong password at the password prompt. Repeat this few times, when it exceeds the limit the fail2ban server will stop responding with the Permission denied message.

It means that your second system has been banned by your fail2ban-enabled server. Great work!

On you fail2ban server, you can check the new iptables rule with the following command:

As you can see that a new rule in your configuration which rejects traffic to the SSH port coming from our second server’s IP address.

You can also check the status of SSH jail with the following command:

You should see that IP address 192.168.1.250 has been banned:

Conclusion

Fail2ban is a vital service for protecting your services against brute force attacks and others.

By using our services, your Seedbox is protected against various types of attacks.

Your files and running services will stay well protected.