Enhancing Security with 17 Fail2Ban Configurations

Fail2Ban is an excellent tool for enhancing the security of your Linux-based systems by automatically blocking IP addresses that attempt multiple login attempts, brute-force attacks, or other malicious activities. In this article, we will explore 17 detailed Fail2Ban configurations to help you improve the security posture of your system.

Table of Contents

1. Introduction
2. Configurations
   • 2.1. SSH Brute-Force Protection
   • 2.2. FTP Brute-Force Protection
   • 2.3. MySQL Brute-Force Protection
   • 2.4. Postfix Mail Server Protection
   • 2.5. Apache Web Server Protection
   • 2.6. SSH Key Authentication Protection
   • 2.7. SSH Port Knocking Protection
   • 2.8. OpenVPN Protection
   • 2.9. PostgreSQL Protection
   • 2.10. Redis Protection
   • 2.11. Memcached Protection
   • 2.12. Apache Tomcat Protection
   • 2.13. Nginx Web Server Protection
   • 2.14. IMAP Brute-Force Protection
   • 2.15. POP3 Brute-Force Protection
   • 2.16. HTTP Brute-Force Protection
   • 2.17. General Purpose Configuration

Introduction

Fail2Ban is a powerful tool that can automatically block IP addresses attempting multiple login attempts or brute-force attacks on your system. It works by monitoring log files and restarting services if suspicious activity is detected.

In this article, we will explore 17 detailed Fail2Ban configurations to enhance the security of various services running on your Linux-based system.

Configurations

SSH Brute-Force Protection

To protect against SSH brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[sshd-iptables]

enabled = true
filter = sshd-ddos
action_ iptables[name=SSH, port=”ssh”, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
“`

FTP Brute-Force Protection

To protect against FTP brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[ftpd-iptables]

enabled = true
filter = ftpd-ddos
action_ iptables[name=FTP, port=”ftp”, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
“`

MySQL Brute-Force Protection

To protect against MySQL brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[mymysql]

enabled = true
filter = mysql
action_ iptables[name=Mysql, port=”mysql”, protocol=tcp]
logpath = /var/log/mysqld.log
maxretry = 5
“`

Postfix Mail Server Protection

To protect against Postfix mail server brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[postfix]

enabled = true
filter = postfix
action_ iptables[name=Postfix, port=”smtp”, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
“`

Apache Web Server Protection

To protect against Apache web server brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[apache]

enabled = true
filter = apache-auth
action_ iptables[name=Apache, port=”http”, protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
“`

SSH Key Authentication Protection

To protect against SSH key authentication brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[sshd-key]

enabled = true
filter = sshd-ddos
action_ iptables[name=SSH-Key, port=”ssh”, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
“`

SSH Port Knocking Protection

To protect against SSH port knocking brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[sshd-port-knock]

enabled = true
filter = sshd-ddos
action_ iptables[name=SSH-Port-Knock, port=”ssh”, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
“`

OpenVPN Protection

To protect against OpenVPN brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[opnvpn]

enabled = true
filter = openvpn
action_ iptables[name=OpenVPN, port=”udp”, protocol=tcp]
logpath = /var/log/openvpn.log
maxretry = 5
“`

PostgreSQL Protection

To protect against PostgreSQL brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[postgresql]

enabled = true
filter = postgresql
action_ iptables[name=PostgreSQL, port=”postgres”, protocol=tcp]
logpath = /var/log/postgresql.log
maxretry = 5
“`

Redis Protection

To protect against Redis brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[redis]

enabled = true
filter = redis
action_ iptables[name=Redis, port=”redis”, protocol=tcp]
logpath = /var/log/redis.log
maxretry = 5
“`

Memcached Protection

To protect against Memcached brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[memcache]

enabled = true
filter = memcache
action_ iptables[name=Memcached, port=”memcache”, protocol=tcp]
logpath = /var/log/memcached.log
maxretry = 5
“`

Apache Tomcat Protection

To protect against Apache Tomcat brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[tomcat]

enabled = true
filter = tomcat-auth
action_ iptables[name=Tomcat, port=”http”, protocol=tcp]
logpath = /var/log/tomcat.log
maxretry = 3
“`

Nginx Web Server Protection

To protect against Nginx web server brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[nginx]

enabled = true
filter = nginx-auth
action_ iptables[name=Nginx, port=”http”, protocol=tcp]
logpath = /var/log/nginx/error.log
maxretry = 3
“`

IMAP Brute-Force Protection

To protect against IMAP brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[imaps]

enabled = true
filter = imap
action_ iptables[name=IMAPs, port=”imap”, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
“`

POP3 Brute-Force Protection

To protect against POP3 brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[pops]

enabled = true
filter = pop3
action_ iptables[name=POP3s, port=”pop3″, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 3
“`

HTTP Brute-Force Protection

To protect against HTTP brute-force attacks, add the following configuration:
“`markdown
[INCLUDES]
before = common.conf

[http]

enabled = true
filter = http-auth
action_ iptables[name=HTTP, port=”http”, protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3
“`

General Purpose Configuration

To create a general-purpose configuration that can be used for various services, add the following:
“`markdown
[INCLUDES]
before = common.conf

[general]

enabled = true
filter = generic-auth
action_ iptables[name=General, port=”all”, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
“`
This configuration can be used as a starting point and customized to fit the specific needs of your system.

By implementing these Fail2Ban configurations, you can significantly enhance the security of your Linux-based system by automatically blocking IP addresses that attempt multiple login attempts or brute-force attacks on various services.

About the Author

Paul

Administrator

Visit Website View All Posts