Fail2Ban is a security tool that helps protect your server from brute-force attacks by monitoring log files and banning IP addresses that exhibit malicious behavior. This guide will walk you through the installation and configuration of Fail2Ban on both Red Hat-based and Debian-based systems.

Installation

Red Hat-based Systems (RHEL, CentOS, Fedora)

1. Update your system:sudo yum update
2. Install EPEL repository (if not already installed):sudo yum install epel-release
3. Install Fail2Ban:sudo yum install fail2ban
4. Enable and start the Fail2Ban service:sudo systemctl enable fail2ban sudo systemctl start fail2ban

Debian-based Systems (Debian, Ubuntu)

1. Update your system:sudo apt update
2. Install Fail2Ban:sudo apt install fail2ban
3. Enable and start the Fail2Ban service:sudo systemctl enable fail2ban sudo systemctl start fail2ban

Configuration

The main configuration file for Fail2Ban is /etc/fail2ban/jail.conf. However, it is recommended to create a local copy of this file for customization to avoid overwriting your settings during package updates.

Create a Local Configuration File

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Basic Configuration

Edit the /etc/fail2ban/jail.local file to customize Fail2Ban settings:

sudo nano /etc/fail2ban/jail.local

Here are some common settings you might want to adjust:

• Ignore IPs: Specify IP addresses that should never be banned.[DEFAULT] ignoreip = 127.0.0.1/8 ::1
• Bantime: Duration for which an IP is banned (e.g., 10 minutes).bantime = 600
• Findtime: Time window for considering failed login attempts (e.g., 10 minutes).findtime = 600
• Maxretry: Number of failed login attempts before an IP is banned.maxretry = 5

Jail Configuration

Fail2Ban uses “jails” to define what logs to monitor and what actions to take. Here is an example of enabling the SSH jail:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 5

Restart Fail2Ban

After making changes, restart the Fail2Ban service to apply the new configuration:

sudo systemctl restart fail2ban

Monitoring Fail2Ban

You can check the status of Fail2Ban and see which IPs are currently banned using the following command:

sudo fail2ban-client status

To see detailed information about a specific jail, use:

sudo fail2ban-client status sshd

Conclusion

Fail2Ban is a powerful tool for enhancing the security of your server by mitigating brute-force attacks. By following this guide, you have installed and configured Fail2Ban on both Red Hat-based and Debian-based systems, and you are now equipped to customize it to fit your security needs.