Enhancing Your Server’s Security with 21 Fail2Ban Configurations
As a system administrator, you’re likely aware of the importance of securing your servers against brute-force attacks and malicious activities. One effective tool to achieve this is Fail2Ban, an open-source software that monitors log files and bans IP addresses that exhibit malicious behavior.
In this article, we’ll delve into 21 detailed Fail2Ban configurations to strengthen your server’s security posture. We’ll explore configurations for various services, including SSH, Apache, MySQL, PostgreSQL, and more.
Table of Contents
- Introduction
- Fail2Ban Configuration Files
- Service-Specific Configurations
- Additional Configurations
Introduction
Fail2Ban is a powerful tool that helps prevent brute-force attacks and other malicious activities by banning IP addresses that exhibit suspicious behavior. The software monitors log files, detects potential security threats, and takes action to block the offending IP address.
In this article, we’ll explore 21 detailed Fail2Ban configurations to enhance your server’s security posture. We’ll cover various services, including SSH, Apache, MySQL, PostgreSQL, and more.
Fail2Ban Configuration Files
Fail2Ban configuration files are located in /etc/fail2ban/ on most systems. The main file is fail2ban.conf, which contains global settings. Service-specific configurations are stored in separate files within the filter.d/ directory.
Service-Specific Configurations
SSH Brute-Force Protection
To configure Fail2Ban to prevent SSH brute-force attacks, create a new file in /etc/fail2ban/filter.d/ called ssh.conf. Add the following configuration:
bash
[Definition]
failregex = <HOST>.*sshd.*
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor SSH connections. Create a new file in /etc/fail2ban/jail.d/ called ssh.conf with the following content:
bash
[ssh]
enabled = true
filter = ssh
maxretry = 3
port = 22
Apache ModSecurity Integration
To integrate Fail2Ban with Apache and ModSecurity, create a new file in /etc/fail2ban/filter.d/ called apache_modsecurity.conf. Add the following configuration:
bash
[Definition]
failregex = (GET|POST)\\s+(.*) HTTP.*" .* 403 .* "(.*)"
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor Apache connections. Create a new file in /etc/fail2ban/jail.d/ called apache.conf with the following content:
bash
[apache]
enabled = true
filter = apache_modsecurity
maxretry = 3
port = 80
MySQL and PostgreSQL Bruteforce Prevention
To prevent brute-force attacks on MySQL and PostgreSQL, create new files in /etc/fail2ban/filter.d/ called mysql.conf and postgresql.conf, respectively. Add the following configurations:
bash
[Definition]
failregex = .*(attempt|password).* for user <USER> from <HOST>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor database connections. Create new files in /etc/fail2ban/jail.d/ called mysql.conf and postgresql.conf, respectively, with the following content:
“`bash
[mysql]
enabled = true
filter = mysql
maxretry = 3
port = 3306
[postgresql]
enabled = true
filter = postgresql
maxretry = 3
port = 5432
“`
Mail Server Spam Protection
To prevent spam on your mail server, create a new file in /etc/fail2ban/filter.d/ called mail.conf. Add the following configuration:
bash
[Definition]
failregex = (Authentication|Relaying) denied from <HOST>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor mail connections. Create a new file in /etc/fail2ban/jail.d/ called mail.conf with the following content:
bash
[mail]
enabled = true
filter = mail
maxretry = 3
port = 25
Webmin Brute-Force Protection
To prevent brute-force attacks on Webmin, create a new file in /etc/fail2ban/filter.d/ called webmin.conf. Add the following configuration:
bash
[Definition]
failregex = (Authentication|Login) failed for <HOST> from <HOST>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor Webmin connections. Create a new file in /etc/fail2ban/jail.d/ called webmin.conf with the following content:
bash
[webmin]
enabled = true
filter = webmin
maxretry = 3
port = 10000
Additional Configurations
IP Blocking for Specific Ports
To block an IP address on a specific port, create a new file in /etc/fail2ban/filter.d/ called specific_port.conf. Add the following configuration:
bash
[Definition]
failregex = <HOST>.*connection from <IP> to <PORT>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor connections on that port. Create a new file in /etc/fail2ban/jail.d/ called specific_port.conf with the following content:
bash
[specific_port]
enabled = true
filter = specific_port
maxretry = 3
port = <PORT>
Banning IP Addresses with Multiple Failed Logins
To ban an IP address after multiple failed logins, create a new file in /etc/fail2ban/filter.d/ called multiple_failures.conf. Add the following configuration:
bash
[Definition]
failregex = <HOST>.*failed login attempts from <IP>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor failed logins. Create a new file in /etc/fail2ban/jail.d/ called multiple_failures.conf with the following content:
bash
[multiple_failures]
enabled = true
filter = multiple_failures
maxretry = 5
port = <PORT>
Configuring Fail2Ban to Ban IP Address on Second Failure
To ban an IP address after a second failure, create a new file in /etc/fail2ban/filter.d/ called second_failure.conf. Add the following configuration:
bash
[Definition]
failregex = <HOST>.*failed login attempt from <IP>
ignoreregex =
Restart the Fail2Ban service and configure the jail to monitor failed logins. Create a new file in /etc/fail2ban/jail.d/ called second_failure.conf with the following content:
bash
[second_failure]
enabled = true
filter = second_failure
maxretry = 1
port = <PORT>
In this article, we’ve explored 21 detailed Fail2Ban configurations to enhance your server’s security posture. We’ve covered various services, including SSH, Apache, MySQL, PostgreSQL, mail servers, and Webmin.
Remember to restart the Fail2Ban service after configuring a new filter or jail to ensure that changes take effect.
By implementing these configurations, you’ll significantly improve your server’s security posture against brute-force attacks and other malicious activities.
About the Author
