From securing your server with SSH Keys to installing self-signed SSL on Apache with CentOS 7, we really value web security at Canadian Web Hosting.  In IT, satisfying all C.I.A points is a necessity. For those of you who don’t know, this stands for Confidentiality, Integrity, and Availability. By having our information and privacy in place, we decrease our chances of having sensitive information exploited. This ranges from login details, personal information from you or your client, and proprietary data. Other than placing RSA keys and disabling password logins, we can install an application known as fail2ban. This service limits failed login attempts and then bans their IP—which is great if you want to prevent brute force attacks. This defense mechanism is your path to a safer, more secure server.

Continue reading to find out how to install fail2ban on your server.

 

Installation

 

As usual, let’s switch into superuser for convenience, then we will update and install as shown below:

#sudo su

(type in password for superuser)

#apt-get update

#apt-get install fail2ban

 

Configuration

 

The fail2ban package includes a file known as jail.conf, which we do not want to modify. Instead, we will copy the contents of jail.conf over to our jail.local like so:

#awk ‘{ printf “# “; print; }’ /etc/fail2ban/jail.conf | sudo tee /etc/fail2ban/jail.local
#sudo nano /etc/fail2ban/jail.local

 

Under [default] section, you will see ignore ip where you can enter your own IP and several others if you want fail2ban to ignore them. For example:

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# “ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host, which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = 1.1.1.1

bantime  = 600

findtime  = 600

maxretry = 3

 

You can choose how long the bantime is. By default, it is set to 600 seconds (10 minutes), but you can change this to whatever you like. findtime and maxretry work together – a client/host will be banned if it reaches the maxretry of 3 times during the last findtime.

 

If you wish to receive emails regarding any banned IPs, you may edit this section under [default]:

destemail = admin@sampledomain.com

sender = Fail2Ban

mta = sendmail

 

To see if SSHD is enabled, double check at the top and ensure this is set either to true or uncommented.

 

Wrapping It Up

 

Once our configurations are done, run an update and we will then install iptables-persistent and stop the service so that we can update our firewall accordingly:

#apt-get update

#apt-get install nginx sendmail iptables-persistent

#service fail2ban stop

 

After, add the following into your iptables:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport –dports 80,443 -j ACCEPT
sudo iptables -A INPUT -j DROP

 

To save these rules and make them survive reboots, enter the following and then start up the service again:

#sudo dpkg-reconfigure iptables-persistent
#service fail2ban start

That’s it. Enjoy having a more secure server and let us know if you have any questions about set up.