Escolar Documentos
Profissional Documentos
Cultura Documentos
brute-force attacks.It can protect your SSH service against Brute force
attacks by blocking the source IP, putting a break on the attack.This
post is about how to configure fail2ban to secure your server.
we will also update these SELinux security policy packages, if theres any
update available.
selinux-policy.noarch
selinux-policy-targeted.noarch
[root@debyum ~]# yum update selinux-policy*
Configuring Fail2ban.
All the files of fail2ban service are stored in /etc/fail2ban directory. heres a
list of files in /etc/fail2ban directory.
[root@debyum ~]# ls -l /etc/fail2ban/
total 64
Jail.conf is the main configuration file but we wont edit this file as it can be
overwritten by package upgrades.
To avoid that we can create a local configuration file
at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/local.conf.
we will use /etc/fail2ban/jail.local and will place our configuration in this
file.Any values defined in this file will override the same values of jail.conf.
[DEFAULT]
usedns = no
we will set the list of IPs we want fail2ban to ignore. These can be ips of
your personal computer or other devices that you trust.
we can do this by defining ignoreip variable
[root@debyum -]# cd /etc/fail2ban
......
......
for example if you want to whitelist IPs only for SSH then use.
fail2ban-client set sshd addignoreip 192.168.122.0/24
we will set the bantime parameter which sets the length of time that a client
will be banned when they fail to authenticate correctly. we will set it to 600
seconds or 10 mins.
......
......
bantime = 600
now we will use maxtry and findtime to set a condition in which a user can
have max of 3 ( maxtry) attempts in 10 mins ( findtime) . After 3 failed
attempts the user will be banned for 10 mins ( bantime ).
......
......
# Fail2ban will ban a client that unsuccessfully attempts to log in 3 times within a 10 minut
e window.
maxtry = 3
findtime = 600
You should set maxtry as low you can afford and set bantime as high you want.
If you running nginx and have password protected some part of website that
you want to protect against brute-force attacks, then enable [nginx-http-
auth] to protect this service.
[root@debyum fail2ban]# vi jail.local
......
......
[nginx-http-auth]
enabled = true
[DEFAULT]
bantime = 3600
maxtry = 5
findtime = 600
[nginx-http-auth]
enabled = true
fail2ban.filtersystemd Issue.
Theres an issue in fail2ban working with systemd which can be resolved with
a minor change in /etc/fail2ban/jail.d/00-systemd.conf file.
Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries,
which is not advised for performance reasons.
[DEFAULT]
backend=auto
Confiuring SSH.
Now we will enable SSH jail in fail2ban and then we will configure the SSH
service parameters to make it work.
The best way to configure a service in fail2ban is to create dedicated file for
that service in jail.d directory.
So we will create a file named sshd.local in jail.d directory.
[root@debyum fail2ban]# vi jail.d/sshd.local
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 600
Status
|- Number of jail: 2
bantime = 600
sender = fail2ban@debyum.com
destemail = engy@debyum.com
action = %(action_mwl)s
Conclusion
Fail2ban is very easy to configure and very useful in protecting your services
that uses authentication against brute-force attacks. Configure it carefully.
If you want to learn more about hardening SSH service in detail than you
you should read this post.
Thats all you need to know on How to configure Fail2ban to secure your
server.
I have tried to cover all the basic to advance concepts with their examples.
Still if I have made any kind of mistake or missed anything please update us
through comment box. I will keep updating the same based on feedbacks
received.
Fuente: https://www.debyum.com/secure-server-using-fail2ban/