TOP  

Secure your server with Fail2ban (simple and effective)

What is Fail2ban ?

Rsb key

Fail2ban is an open-source intrusion prevention software tool that is used to protect your servers from brute-force attacks.

Brute force is a type of attack where the malicious client tries to guess login info via a dictionary or randomly generated passphrases.

In our latest Seedbox version, we have Fail2ban pre-installed with our best practice rules to ensure good baseline protection from malicious attacks.

However, our configurations are just the tip of the finger when it comes to the abilities of this great application.

If you’re have joined RapidSeedbox before October 2016, chances you don’t have Fail2ban preinstalled on your machine.
In order to upgrade your Seedbox simply contact us via the live chat, or open a ticket in your client area.

In this article, we’ll dive deeper into securing your SSH and Apache services, which are usually the “public gateways” that attackers are commonly trying to find their way into.

What is the SSH?

SSH is a secure protocol for establishing remote connections between two hosts on unencrypted networks.By default, it operates on port 22.

The main advantage over all other protocols that are used for remote access is the way that SSH handle communication.

When the user tries to establish a connection to a server, ssh protocol sends a request to a server.

If everything is fine, the server sends a confirmation message.

After the client receives that message it sends another request and establishes a connection.

The Three-way handshake is another synonym for this kind of connection.

What makes SSH protocol interesting to the intruders, is a fact that compromising protocol will make the attacker an owner of the whole server. Because of the mentioned reasons, it is the essential to protect and tweak your SSH server with fail2ban.

If you also want to know how to use SSH from Windows, covering the basics of installing a Windows SSH command-line tool and connecting to a remote server over SSH on a local Windows system, check out this Linode page.

What is the Apache?

Apache is a most popular HTTP service for delivering a web content. Whenever you visit a webpage in your browser, a web server delivers that content to your browser. This process can be accelerated if you take steps to make Apache web server work better, and even if you don’t have a lot of experience working with it, improvements are possible.

Two most common ports are used for establishing HTTP connecting – port 80 and port 443.

The difference between mentioned ports is in protocols. A web content can be served via HTTP and HTTPS.
HTTPS is a secure version of an HTTP protocol, meaning that traffic between client and server is encrypted.

In our new template, our torrent clients for example ruTorrent is pre-configured to use HTTPS connection using a self-signed certificate.

1. Installing Fail2ban

Fail2ban is available by default in Ubuntu repository, so you can easily install it by running the following commands:

Enable the service to start during system boot:

Start the service:

2. Configure protection for Apache and SSH

The default configuration file of fail2ban is jail.conf located in /etc/fail2ban/ directory.

It contains a set of pre-configured rules for various services. So I recommend that you not edit this file.

3. Secure Apache

You should create a new configuration for Apache:

Paste the following ruleset:

[apache-badbots]

enabled = true

[apache-noscript]

enabled = true

[apache-overflows]

enabled = true

[apache-nohome]

enabled = true

[apache-botsearch]

enabled = true

[apache-fakegooglebot]

enabled = true

[apache-modsecurity]

enabled = true

[apache-shellshock]

enabled = true

4. Secure SSH

You should create a new configuration for the OpenSSH service:

Add the following rules:

[sshd-ddos]

enabled = true

[dropbear]

enabled = true

5. Starting Fail2ban

Once you finish with configuration, save the files and restart fail2ban service:

You can verify the rules that were added by fail2Ban in iptables using the following command:

Output should look like this:

6. Verify your configurations

Once everything is up-to-date, you can verify your configurations as follows:

You should see the list of all enable jails:

Status:

If you want to see the status of specific jail, run the following command:

Output:

It is also possible to ban or unban any IP address. For example, if you want to ban an IP address 192.168.1.10 with apache jail, run:

To unban an IP address 192.168.1.10 with an apache jail:

7. Testing

Once everything is setup, it’s time to test our rules.

From another system, try to SSH into the fail2ban server with the following command:

Enter the wrong password at the password prompt. Repeat this few times, when it exceeds the limit the fail2ban server will stop responding with the Permission denied message.

It means that you have banned your second system by your fail2ban-enabled server. Great work!

On you fail2ban server, you can check the new iptables rule with the following command:

As you can see that a new rule in your configuration that rejects traffic to the SSH port coming from our second server’s IP address.

You can also check the status of SSH jail with the following command:

You should see that you have banned the following IP address 192.168.1.250:

Conclusion

Fail2ban is a vital service for protecting your services against brute force attacks and others.

By using our services, you can protect your Seedbox against various types of attacks.

Your files and running services will stay well protected.

Disclaimer: This material has been developed strictly for informational purposes. It does not constitute endorsement of any activities (including illegal activities), products or services. You are solely responsible for complying with the applicable laws, including intellectual property laws, when using our services or relying on any information herein. We do not accept any liability for damage arising from the use of our services or information contained herein in any manner whatsoever, except where explicitly required by law.

About author Diego Asturias

Avatar for Diego Asturias

Diego Asturias is a tech journalist who translates complex tech jargon into engaging content. He has a degree in Internetworking Tech from Washington DC, US, and tech certifications from Cisco, McAfee, and Wireshark. He has hands-on experience working in Latin America, South Korea, and West Africa. He has been featured in SiliconANGLE Media, Cloudbric, Pcwdld, Hackernoon, ITT Systems, SecurityGladiators, Rapidseedbox, and more.

Join 40K+ Newsletter Subscribers

Get regular updates regarding Seedbox use-cases, technical guides, proxies as well as privacy/security tips.

Speak your mind

Leave a Reply

Your email address will not be published. Required fields are marked *