How to Install Fail2ban to Protect Against Brute Force Login Attacks

By Hitesh Jethva, Alibaba Cloud Community Blog author. The Blog is a community-driven platform whose main aim is to demonstrate Alibaba Cloud’s technical capabilities, brand message, and thought leadership through relevant, compelling content.

Fail2Ban is a free and open source intrusion prevention software framework that can be used to protect your server from brute-force attacks. Fail2Ban works by continuously monitoring log files (SSH, Apache, Auth) and bans IP addresses that have the malicious signs such as accruing many password failures.

In this tutorial, you will learn how to install and configure Fail2Ban to protect your SSH and Apache services from brute force login attacks on an Alibaba Cloud Elastic Compute Service (ECS) instance that is installed with Ubuntu 16.04.

Requirements

  • A newly created ECS instance installed with Ubuntu 16.04.
  • The static IP address 192.168.43.193 is set up for your instance.
  • A root password is set up for your instance.

Procedure

To install and configure Fail2Ban to protect against brute force login attacks, complete the following steps:

Launch an Alibaba Cloud ECS Instance

First, log on to your Alibaba Cloud ECS Console. Then, create a new ECS instance with Ubuntu 16.04 as the operating system and with at least 2GB RAM. Connect to your ECS instance and log on as the root user.

After you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install Apache and Fail2Ban

First, you will need to install Apache web server and Fail2Ban to your server. You can install it by running the following command:

After the installation is complete, you can proceed to the next step.

Configure Fail2Ban

By default, all the configuration files of Fail2Ban are located inside /etc/fail2ban/ directory. You can list all of them with the following command:

The output is as follows:

From the above listed files, jail.conf is the main configuration file that contains a set of pre-defined filters. We recommend that you create a separate file /etc/fail2ban/jail.local.

Add the following lines:

Save and close the file, when you are finished.

ignoreip : This option allows us to whitelist the IP addresses that can not be blocked by Fail2ban.
bantime : The number of seconds that a remote host is banned.
findtime : This option specifies the time period (in seconds) that login retries are counted.
maxretry : This option specifies the number of failures before a host gets banned.
logpath : This option specifies the location of the services log file.

Next, create the filter file /etc/fail2ban/filter.d/http-get-dos.conf.

Add the following lines:

When finished, save and close the file. Next, restart Fail2Ban to apply the changes:

Next, check the status of all jails:

The output is as follows:

You can also see the rules added by Fail2Ban by running the following command:

The output is as follows:

Test Fail2Ban

Fail2Ban is now installed and configured. It’s time to test whether it is working or not. Now, go to the client machine and perform DDOS attack against Fail2Ban server with the following command:

The output is as follows:

Now, go to the Fail2Ban machine and check log file:

You will see the following output:

You can also check the Fail2Ban banning status by running the following command:

You will see that Fail2Ban has blocked the remote host IP address:

Next, go to the client machine and perform a failed login attempt against Fail2Ban server:

Enter the wrong password four times. After you have reached the failed login limit, you will be blocked for 300 seconds (or 5 minutes).

Now, go to the Fal2Ban server and check log file:

The output is as follows:

You can also verify the SSH banning status by running the following command:

You will see that your IP address has been blocked by Fail2Ban:

You can also check the new rules added by the Iptables by running the following command:

The output is as follows:

Fail2Ban also allows you to block and unblock IP address of the remote host manually. Run the following command to unblock the IP address 192.168.43.4 for SSH service:

Run the following command to block the IP address 192.168.43.4 for SSH service:

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store