Enhancing Security with 17 Fail2Ban Configurations
Fail2Ban is an excellent tool for enhancing the security of your Linux-based systems by automatically blocking IP addresses that attempt multiple login attempts, brute-force attacks, or other malicious activities. In this article, we will explore 17 detailed Fail2Ban configurations to help you improve the security posture of your system.
Table of Contents
- Introduction
- Configurations
- SSH Brute-Force Protection
- FTP Brute-Force Protection
- MySQL Brute-Force Protection
- Postfix Mail Server Protection
- Apache Web Server Protection
- SSH Key Authentication Protection
- SSH Port Knocking Protection
- OpenVPN Protection
- PostgreSQL Protection
- Redis Protection
- Memcached Protection
- Apache Tomcat Protection
- Nginx Web Server Protection
- IMAP Brute-Force Protection
- POP3 Brute-Force Protection
- HTTP Brute-Force Protection
- General Purpose Configuration
Introduction
Fail2Ban is a powerful tool that can automatically block IP addresses attempting multiple login attempts or brute-force attacks on your system. It works by monitoring log files and restarting services if suspicious activity is detected.
In this article, we will explore 17 detailed Fail2Ban configurations to enhance the security of various services running on your Linux-based system.
Configurations
SSH Brute-Force Protection
[INCLUDES]
before = common.conf
[sshd-iptables]
enabled = true
filter = sshd-ddos
action_ iptables[name=SSH, port="ssh", protocol=tcp]
logpath = /var/log/secure
maxretry = 3
FTP Brute-Force Protection
[INCLUDES]
before = common.conf
[ftpd-iptables]
enabled = true
filter = ftpd-ddos
action_ iptables[name=FTP, port="ftp", protocol=tcp]
logpath = /var/log/secure
maxretry = 3
MySQL Brute-Force Protection
[INCLUDES]
before = common.conf
[mymysql]
enabled = true
filter = mysql
action_ iptables[name=Mysql, port="mysql", protocol=tcp]
logpath = /var/log/mysqld.log
maxretry = 5
Postfix Mail Server Protection
[INCLUDES]
before = common.conf
[postfix]
enabled = true
filter = postfix
action_ iptables[name=Postfix, port="smtp", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
Apache Web Server Protection
[INCLUDES]
before = common.conf
[apache]
enabled = true
filter = apache-auth
action_ iptables[name=Apache, port="http", protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
SSH Key Authentication Protection
[INCLUDES]
before = common.conf
[sshd-key]
enabled = true
filter = sshd-ddos
action_ iptables[name=SSH-Key, port="ssh", protocol=tcp]
logpath = /var/log/secure
maxretry = 3
SSH Port Knocking Protection
[INCLUDES]
before = common.conf
[sshd-port-knock]
enabled = true
filter = sshd-ddos
action_ iptables[name=SSH-Port-Knock, port="ssh", protocol=tcp]
logpath = /var/log/secure
maxretry = 3
OpenVPN Protection
[INCLUDES]
before = common.conf
[opnvpn]
enabled = true
filter = openvpn
action_ iptables[name=OpenVPN, port="udp", protocol=tcp]
logpath = /var/log/openvpn.log
maxretry = 5
PostgreSQL Protection
[INCLUDES]
before = common.conf
[postgresql]
enabled = true
filter = postgresql
action_ iptables[name=PostgreSQL, port="postgres", protocol=tcp]
logpath = /var/log/postgresql.log
maxretry = 5
Redis Protection
[INCLUDES]
before = common.conf
[redis]
enabled = true
filter = redis
action_ iptables[name=Redis, port="redis", protocol=tcp]
logpath = /var/log/redis.log
maxretry = 5
Memcached Protection
[INCLUDES]
before = common.conf
[memcache]
enabled = true
filter = memcache
action_ iptables[name=Memcached, port="memcache", protocol=tcp]
logpath = /var/log/memcached.log
maxretry = 5
Apache Tomcat Protection
[INCLUDES]
before = common.conf
[tomcat]
enabled = true
filter = tomcat-auth
action_ iptables[name=Tomcat, port="http", protocol=tcp]
logpath = /var/log/tomcat.log
maxretry = 3
Nginx Web Server Protection
[INCLUDES]
before = common.conf
[nginx]
enabled = true
filter = nginx-auth
action_ iptables[name=Nginx, port="http", protocol=tcp]
logpath = /var/log/nginx/error.log
maxretry = 3
IMAP Brute-Force Protection
[INCLUDES]
before = common.conf
[imaps]
enabled = true
filter = imap
action_ iptables[name=IMAPs, port="imap", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
POP3 Brute-Force Protection
[INCLUDES]
before = common.conf
[pops]
enabled = true
filter = pop3
action_ iptables[name=POP3s, port="pop3", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
HTTP Brute-Force Protection
[INCLUDES]
before = common.conf
[http]
enabled = true
filter = http-auth
action_ iptables[name=HTTP, port="http", protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
General Purpose Configuration
[INCLUDES]
before = common.conf
[general]
enabled = true
filter = generic-auth
action_ iptables[name=General, port="all", protocol=tcp]
logpath = /var/log/secure
maxretry = 3
By implementing these Fail2Ban configurations, you can significantly enhance the security of your Linux-based system by automatically blocking IP addresses that attempt multiple login attempts or brute-force attacks on various services.
About the Author
