Minimum security for your VPS with Fail2Ban
After hard work on his project, after months of hard work, we are finally ready, ready to put it online: ready to share it with the whole world. To do this, we identify a supplier, buy a VPS and host our project in order to make it publicly accessible. However, being publicly accessible it becomes visible to everyone and not always well-intentioned people. This is why we offer you how to set up minimum security on your VPS with Fail2Ban.
It is a tool to ban IP addresses with suspicious interactions with your VPS. It analyzes the log files (/ var / log / apache / error_log for example) in order to identify any suspicious behavior and to ban the responsible IP. The detection is configurable according to what is sought: too much password failure, too many requests 404 on the web server, etc. Its configuration is done through filters and it has some useful ones at installation (SSH, Apache, Mail, etc.).
As stated, Fail2Ban can reduce the chances of breaking your password by brute-forcing but it cannot help you in the case where the password is easy to guess.
Installation and Configuration
In our example, we use a VPS with Ubuntu 16.04 : this is what will be considered in the rest of our tutorial. So in the sequel all the commands entered will be Ubuntu commands.
sudo apt-get update sudo apt-get install fail2ban
The installation is quite simple, as it is already present in the default repository of Ubuntu. Now, let’s make a basic configuration of Fail2Ban.
The configuration of Fail2Ban is mainly in the jail.conf file located in the /etc/fail2ban/ folder. As its name indicates, it is in this file that are configured the rules of imprisonment in case of suspicious event.
This file contains the parameters that will have to be configured in order to have the desired effect. It contains parameters such as ban time, action to take in case of detection …
IPs to ignore
... ignoreip = 127.0.0.1/8 ...
This is the list of IPs that must be ignored by Fail2Ban. You can pass a subnet, an IP address, or a machine name. You must use the “space” character as a separator and thus any queries from them will be ignored.
... bantime = 600 ...
This is the times (in seconds) during an IP remains banned once it is thrown into jail.
... findtime = 600 maxretry = 3 ...
These two parameters are used to configure the detection behavior. maxretry is the number of times from which if an event repeat an action must be taken. And findtime is the time interval (in seconds) that the event should repeat maxretry times.
Sending by email settings
... destemail = root@localhost sendername = Fail2Ban mta = sendmail ...
If you want to receive alerts on detection by email, you must configure the following settings:
- destemail: this is the email address of the person who should receive the alerts.
- sendername: this is the name with which the mail should be sent. Expl: Hachther Security
- mta: this is the service that will send mail: expl: sendmail, mail, …
Action in case of detection
... action = $(action_)s ...
This is where you set up what needs to be done if an abnormality is detected. This parameter takes three possible values:
- action_: in this case, the IP address is just banned.
- action_mw: in this case, the IP address is banned and an email is sent according to the settings configured above. This mail contains information about the owner of this IP address.
- action_mwl: here the IP address is banned and an email is sent. But unlike the previous case, the mail contains in addition information about the owner of the IP address and some logs.
The general configurations being made, we can now proceed to the configuration of the jails.
A jail is a configuration that tells Fail2Ban to monitor a specific service and take the appropriate actions when suspicious event occur.
The configuration of the jails is always in the same previous file (/etc/fail2ban/jail.conf): towards the end of the file, you should see “#JAILS“. This is where the configuration of jails begins.
The configuration of a prison is done as follows:
[jail_to_enable] ... enabled = true port = [port] logpath = [path to log] ...
The port here represents the listener and the logpath is the absolute path to the log file to be scanned. All parameters that we have previously seen can be configured in a jail with different values if you want to behave in a particular way.
Once your jail is configured, you just need to restart the Fail2Ban service to take the updates into account.
sudo service fail2ban start
Note: The jail for SSH account protection is enabled by default.