Use Fail2Ban on a 1&1 Cloud Server with Linux

Table of Contents

Introduction

Learn how to implement Fail2Ban on a Cloud Server with Linux. Fail2Ban is an IP address banning system which can protect a server from brute force attacks. Fail2Ban monitors the server's logs for suspicious activity, and watches for repeated login attempts during a short time interval.

For more information about using Fail2Ban on a Plesk server, see the official Plesk documentation.

Note: Fail2Ban is not able to protect against distributed brute force attacks, because it identifies attacks by IP address.

Requirements

  • A 1&1 Cloud Server with Linux (CentOS 7 or Ubuntu 16.04)

Note: For any 1&1 Cloud Server with Plesk, applications like Fail2Ban should always be installed and managed through the Plesk interface. See our article Use Fail2Ban on a 1&1 Cloud Server with Linux for step-by-step instructions.

Install Fail2Ban

Ubuntu 16.04

Update the system:

sudo apt-get update

Install Fail2Ban:

sudo apt-get install fail2ban

Enable Fail2Ban to be controlled with the systemctl command:

sudo systemctl enable fail2ban

CentOS 7

Update the system: sudo yum update

Install the EPEL repository:

sudo yum install epel-release

Install Fail2Ban:

sudo yum install fail2ban

Enable Fail2Ban to be controlled with the systemctl command:

sudo systemctl enable fail2ban

Configure Fail2Ban

The Fail2Ban configuration files are stored in the /etc/fail2ban directory. In this directory, the jail.conf file holds the default settings.

If there are any default settings you wish to override, these should go in a jail.local file in order to prevent file lock conflicts.

To begin, we will create a copy of jail.conf called jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

You can then safely open the jail.local file for editing:

sudo nano /etc/fail2ban/jail.local

To prevent future confusion, you may want to delete the initial block of text which warns against editing the jail.conf file:

# WARNING: heavily refactored in 0.9.0 release.  Please review and
#          customize settings for your setup.
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#

Increase Ban Time

One recommended change is to increase the bantime setting, which is set to only 10 minutes (600 seconds) by default.

To increase the ban time, find the section which reads:

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

Change 600 to the desired number of seconds. For example, to ban hosts for two hours, change this command block to read:

# "bantime" is the number of seconds that a host is banned.
bantime  = 7200

Save and exit the file, then restart Fail2Ban for your changes to take effect:

sudo systemctl restart fail2ban

Add Your Email Address

Another common change is to add your email address to Fail2Ban's notification list, so that you receive an email when an IP address is banned.

Find the section which reads:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

Change root@localhost to your email address:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = jdoe@example.com

You will also need to change the action configuration so that Fail2Ban sends the email. Find the section which reads:

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

Change the last line to read:

action = %(action_mwl)s

Save and exit the file, then restart Fail2Ban for your changes to take effect:

sudo systemctl restart fail2ban

Comments

Tags: Security