What is Fail2ban ?
Fail2ban is an open-source intrusion prevention software tool that is used to protect your servers from brute-force attacks.
Brute force is a type of attack where the malicious client tries to guess login info via a dictionary or randomly generated passphrases.
In our latest Seedbox version, we have Fail2ban pre-installed with our best practice rules to ensure good baseline protection from malicious attacks.
However, our configurations are just the tip of the finger when it comes to the abilities of this great application.
In order to upgrade your Seedbox simply contact us via the live chat, or open a ticket in your client area.
In this article, we’ll dive deeper into securing your SSH and Apache services, which are usually the “public gateways” that attackers are commonly trying to find their way into.
What is the SSH?
SSH is a secure protocol for establishing remote connections between two hosts on unencrypted networks.By default, it operates on port 22.
The main advantage over all other protocols that are used for remote access is the way that SSH handle communication.
When the user tries to establish a connection to a server, ssh protocol sends a request to a server.
If everything is fine, the server sends a confirmation message.
After the client receives that message it sends another request and establishes a connection.
The Three-way handshake is another synonym for this kind of connection.
What makes SSH protocol interesting to the intruders, is a fact that compromising protocol will make the attacker an owner of the whole server. Because of the mentioned reasons, it is the essential to protect and tweak your SSH server with fail2ban.
If you also want to know how to use SSH from Windows, covering the basics of installing a Windows SSH command-line tool and connecting to a remote server over SSH on a local Windows system, check out this Linode page.
What is the Apache?
Apache is a most popular HTTP service for delivering a web content. Whenever you visit a webpage in your browser, a web server delivers that content to your browser. This process can be accelerated if you take steps to make Apache web server work better, and even if you don’t have a lot of experience working with it, improvements are possible.
Two most common ports are used for establishing HTTP connecting – port 80 and port 443.
The difference between mentioned ports is in protocols. A web content can be served via HTTP and HTTPS.
HTTPS is a secure version of an HTTP protocol, meaning that traffic between client and server is encrypted.
In our new template, our torrent clients for example ruTorrent is pre-configured to use HTTPS connection using a self-signed certificate.
1. Installing Fail2ban
Fail2ban is available by default in Ubuntu repository, so you can easily install it by running the following commands:
1 2 |
sudo apt-get update sudo apt-get install fail2ban |
Enable the service to start during system boot:
1 |
sudo systemctl enable fail2ban |
Start the service:
1 |
sudo systemctl start fail2ban |
2. Configure protection for Apache and SSH
The default configuration file of fail2ban is jail.conf located in /etc/fail2ban/ directory.
It contains a set of pre-configured rules for various services. So I recommend that you not edit this file.
3. Secure Apache
You should create a new configuration for Apache:
1 |
sudo nano /etc/fail2ban/jail.d/apache.conf |
Paste the following ruleset:
1 2 |
[apache-auth] enabled = true |
[apache-badbots]
enabled = true
[apache-noscript]
enabled = true
[apache-overflows]
enabled = true
[apache-nohome]
enabled = true
[apache-botsearch]
enabled = true
[apache-fakegooglebot]
enabled = true
[apache-modsecurity]
enabled = true
[apache-shellshock]
enabled = true
4. Secure SSH
You should create a new configuration for the OpenSSH service:
1 |
sudo nano /etc/fail2ban/jail.d/sshd.conf |
Add the following rules:
1 2 |
[sshd] enabled = true |
[sshd-ddos]
enabled = true
[dropbear]
enabled = true
5. Starting Fail2ban
Once you finish with configuration, save the files and restart fail2ban service:
You can verify the rules that were added by fail2Ban in iptables using the following command:
1 |
sudo iptables -L |
Output should look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
Chain f2b-apache-auth (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-badbots (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-botsearch (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-fakegooglebot (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-modsecurity (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-nohome (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-noscript (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-overflows (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-apache-shellshock (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-dropbear (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain f2b-sshd-ddos (1 references) target prot opt source destination RETURN all -- anywhere anywhere |
6. Verify your configurations
Once everything is up-to-date, you can verify your configurations as follows:
1 |
sudo fail2ban-client status |
You should see the list of all enable jails:
1 |
root@rapidseedbox:/etc/fail2ban/jail.d# fail2ban-client status |
Status:
1 2 |
Number of jail: 12 Jail list: apache-auth, apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, dropbear, sshd, sshd-ddos |
If you want to see the status of specific jail, run the following command:
1 |
sudo fail2ban-client status apache-badbots |
Output:
1 2 3 4 5 6 7 8 9 |
Status for the jail: apache-badbots |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/apache2/access.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: |
It is also possible to ban or unban any IP address. For example, if you want to ban an IP address 192.168.1.10 with apache jail, run:
1 |
sudo fail2ban-client set apache banip 192.168.1.10 |
To unban an IP address 192.168.1.10 with an apache jail:
1 |
sudo fail2ban-client set apache unbanip 192.168.1.10 |
7. Testing
Once everything is setup, it’s time to test our rules.
From another system, try to SSH into the fail2ban server with the following command:
1 |
ssh root@seedbox-server-ip |
Enter the wrong password at the password prompt. Repeat this few times, when it exceeds the limit the fail2ban server will stop responding with the Permission denied message.
It means that you have banned your second system by your fail2ban-enabled server. Great work!
On you fail2ban server, you can check the new iptables rule with the following command:
1 |
sudo iptables -S |
1 2 3 4 5 6 |
-A f2b-apache -j RETURN -A f2b-apache-badbots -j RETURN -A f2b-apache-noscript -j RETURN -A f2b-apache-overflows -j RETURN -A f2b-sshd -s 192.168.1.250/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-sshd -j RETURN |
As you can see that a new rule in your configuration that rejects traffic to the SSH port coming from our second server’s IP address.
You can also check the status of SSH jail with the following command:
1 |
sudo fail2ban-client status sshd |
You should see that you have banned the following IP address 192.168.1.250:
1 2 3 4 5 6 7 8 9 |
Status for the jail: sshd |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 6 `- action |- Currently banned: 1 | `- IP list: 192.168.1.250 `- Total banned: 1 |
Conclusion
Fail2ban is a vital service for protecting your services against brute force attacks and others.
By using our services, you can protect your Seedbox against various types of attacks.
Your files and running services will stay well protected.
Disclaimer: This material has been developed strictly for informational purposes. It does not constitute endorsement of any activities (including illegal activities), products or services. You are solely responsible for complying with the applicable laws, including intellectual property laws, when using our services or relying on any information herein. We do not accept any liability for damage arising from the use of our services or information contained herein in any manner whatsoever, except where explicitly required by law.
Nice