Fail2ban is a useful tool for further server hardening. It is not a replacement for disabling password authentication or changing the server's SSH port. Our guide on best security practices for a Linux server can guide you through those primary best practices.
This guide will cover installing Fail2ban and some initial configurations. Fail2ban will scan log files and ban malicious IP addresses. Fail2ban can then be used to auto-update firewall rules on the server to account for these IP addresses. There are filtering options for several services running on the system, including SSH servers, HTTP servers, FTP servers, Mail servers, and more.
Step 1: First, update the system and install the EPEL repository.
You have now made a copy of the default configuration profile for Fail2ban. Fail2Ban will use the settings in fail2ban.local over the settings in fail2ban.conf, and fail2ban.conf should remain untouched.
Step 2: Create a copy of jail.conf named jail. local.
Similarly, Fail2Ban will use the settings in jail. Local over the settings in jail. Conf, and jail. Conf should remain untouched.
Configure .local File Settings
fail2ban.local: Within fail2ban.local, you have the option to re-define values for the following:
Value can be:
DEBUG is not recommended – it might cause fail2ban to fall into an infinite loop constantly feeding itself with non-informative lines.
Value can be a file, SYSLOG, STDERR or STDOUT.
Only one log target can be specified.
Default = /var/log/fail2ban.log
This is used to communicate with the fail2ban daemon. Removing this file will make communicating with the fail2ban server impossible.
Value can be a file.
Default = /var/run/fail2ban/fail2ban.sock
This is used to store the process ID of the fail2ban server.
Default = /var/run/fail2ban/fail2ban.pid
This is used to store the fail2ban persistent data.
Value can be a file or ": memory."
Default = /var/lib/fail2ban/fail2ban.sqlite3
:memory: will result in the database being stored in memory, so the data is lost when fail2ban is stopped.
This determines the age at which bans will be purged from the database.
Default = 1d (24 hours)
syslogsocket (*Only used when log target is SYSLOG)
Value can be "auto" or a file.
Auto uses the platform. System () to determine predefined paths
jail. Local: Within jail. Local definitions under [DEFAULT] will define that option for every jail. Re-defining these options within each jail (i.e. [sshd]) will override the definition under [DEFAULT].
This means that the [apache-auth] jail can use the [DEFAULT]bantime, find time, and maxretry, while each of these can be re-defined under the [sshd] jail.
*Important note: By default, theenabledoption under [DEFAULT] is set to false. This means all jails are disabled by default. Jails should be individually enabled by defining theenabledoption in the specific jail: