Enhancing Your Server’s Security with 13 Fail2Ban Configurations
As a server administrator, you’re well aware of the importance of keeping your system secure from malicious activities such as brute-force attacks, SQL injection, and cross-site scripting (XSS). One effective way to protect your server is by using Fail2Ban, an open-source software that monitors log files and bans IP addresses that show suspicious activity.
In this article, we’ll explore 13 Fail2Ban configurations that can be used to enhance the security of your server. Each configuration will be detailed with examples and explanations of how they work.
1. Basic SSH Configuration
The first step in securing your server is by configuring basic SSH settings.
“`bash
[INCLUDES]
before = common.conf
[SSH-iptables.conf]
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 600
action = iptables[name=SSH, port=ssh, protocol=tcp]
“`
This configuration monitors the /var/log/secure log file for SSH login attempts and bans IP addresses that attempt more than three failed logins within a five-minute period.
2. Apache Configuration
This configuration protects your Apache server from brute-force attacks.
“`bash
[INCLUDES]
before = common.conf
[apache-badbots.conf]
filter = apache-error
logpath = /var/log/httpd/error_log
maxretry = 3
bantime = 1800
action = iptables[name=Apache-BadBots, port=http, protocol=tcp]
“`
This configuration monitors the Apache error log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
3. MySQL Configuration
This configuration secures your MySQL server from SQL injection attacks.
“`bash
[INCLUDES]
before = common.conf
[mysql-iptables.conf]
filter = mysqld-auth
logpath = /var/log/mysqld.log
maxretry = 2
bantime = 3600
action = iptables[name=MySQL, port=mysql, protocol=tcp]
“`
This configuration monitors the MySQL log file for suspicious activity and bans IP addresses that attempt more than two failed login attempts within a one-hour period.
4. PostgreSQL Configuration
This configuration secures your PostgreSQL server from SQL injection attacks.
“`bash
[INCLUDES]
before = common.conf
[postgresql-iptables.conf]
filter = postgresql-auth
logpath = /var/log/postgresql.log
maxretry = 2
bantime = 3600
action = iptables[name=PostgreSQL, port=postgres, protocol=tcp]
“`
This configuration monitors the PostgreSQL log file for suspicious activity and bans IP addresses that attempt more than two failed login attempts within a one-hour period.
5. Apache mod_security Configuration
This configuration secures your Apache server from XSS attacks using mod_security.
“`bash
[INCLUDES]
before = common.conf
[apache-modsecurity.conf]
filter = apache-error
logpath = /var/log/httpd/error_log
maxretry = 3
bantime = 1800
action = iptables[name=Apache-ModSecurity, port=http, protocol=tcp]
“`
This configuration monitors the Apache error log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
6. Nginx Configuration
This configuration secures your Nginx server from brute-force attacks.
“`bash
[INCLUDES]
before = common.conf
[nginx-iptables.conf]
filter = nginx-auth
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 1800
action = iptables[name=Nginx, port=http, protocol=tcp]
“`
This configuration monitors the Nginx access log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
7. SMTP Configuration
This configuration secures your SMTP server from spam attacks.
“`bash
[INCLUDES]
before = common.conf
[smtp-iptables.conf]
filter = smtp-auth
logpath = /var/log/mail.log
maxretry = 2
bantime = 3600
action = iptables[name=SMTP, port=smtp, protocol=tcp]
“`
This configuration monitors the SMTP log file for suspicious activity and bans IP addresses that attempt more than two failed login attempts within a one-hour period.
8. Squid Configuration
This configuration secures your Squid server from brute-force attacks.
“`bash
[INCLUDES]
before = common.conf
[squid-iptables.conf]
filter = squid-auth
logpath = /var/log/squid/access.log
maxretry = 3
bantime = 1800
action = iptables[name=Squid, port=http, protocol=tcp]
“`
This configuration monitors the Squid access log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
9. OpenSSH Configuration
This configuration secures your OpenSSH server from brute-force attacks.
“`bash
[INCLUDES]
before = common.conf
[openssh-iptables.conf]
filter = sshd-auth
logpath = /var/log/secure
maxretry = 3
bantime = 600
action = iptables[name=OpenSSH, port=ssh, protocol=tcp]
“`
This configuration monitors the OpenSSH log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a five-minute period.
10. Apache AuthLog Configuration
This configuration secures your Apache server from brute-force attacks using authlog.
“`bash
[INCLUDES]
before = common.conf
[apache-authlog.conf]
filter = apache-error
logpath = /var/log/httpd/error_log
maxretry = 3
bantime = 1800
action = iptables[name=Apache-AuthLog, port=http, protocol=tcp]
“`
This configuration monitors the Apache error log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
11. Nginx Authlog Configuration
This configuration secures your Nginx server from brute-force attacks using authlog.
“`bash
[INCLUDES]
before = common.conf
[nginx-authlog.conf]
filter = nginx-auth
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 1800
action = iptables[name=Nginx-AuthLog, port=http, protocol=tcp]
“`
This configuration monitors the Nginx access log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
12. SSH Deny Configuration
This configuration secures your SSH server from brute-force attacks by denying IP addresses.
“`bash
[INCLUDES]
before = common.conf
[ssh-deny.conf]
filter = sshd-auth
logpath = /var/log/secure
maxretry = 3
bantime = 600
action = iptables[name=SSH-Deny, port=ssh, protocol=tcp]
“`
This configuration monitors the SSH log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a five-minute period.
13. HTTP Deny Configuration
This configuration secures your HTTP server from brute-force attacks by denying IP addresses.
“`bash
[INCLUDES]
before = common.conf
[http-deny.conf]
filter = http-auth
logpath = /var/log/httpd/error_log
maxretry = 3
bantime = 1800
action = iptables[name=HTTP-Deny, port=http, protocol=tcp]
“`
This configuration monitors the HTTP error log file for suspicious activity and bans IP addresses that attempt more than three failed login attempts within a two-hour period.
These configurations can be used to enhance the security of your server by protecting it from various types of attacks such as brute-force attacks, SQL injection, XSS attacks, and denial-of-service (DoS) attacks. By monitoring log files and banning suspicious IP addresses, you can prevent unauthorized access to your system and protect sensitive data.
About the Author
