What is Fail2ban and how does it work?

Fail2ban is a log-parsing security tool that monitors logs for suspicious activity like failed SSH login attempts and automatically bans offending IP addresses using firewall rules such as iptables.

Why should I use Fail2ban with OpenSSH and iptables?

Using Fail2ban with OpenSSH and iptables forms a layered security model. It blocks brute-force attacks in real time, ensures secure remote access, and filters traffic from malicious IP addresses.

What are predefined IP lists in iptables used for?

Predefined IP lists in iptables allow you to block known bad actors or only permit traffic from your trusted IP ranges, significantly strengthening SSH access control.

What are some important Fail2ban configuration options?

Critical Fail2ban settings include maxretry (max login attempts), bantime (ban duration), ignoreip (whitelist IPs), logpath (location of logs), and dbpurgeage (entry retention time).

Can Fail2ban be customized for specific SSH services?

Yes. Fail2ban supports configuring jails for SSH with specific parameters like port, filter, logpath, and action, enabling precise control over SSH monitoring and protection.

HiddenSSH - Secure OpenSSH Hardening

Fail2ban

Fail2ban is a software application that monitors log files for failed login attempts and other malicious activity.
When it detects suspicious activity, it takes action by banning the IP address of the offender.
This prevents them from attempting further attacks on your server.

Iptables is a powerful firewall tool that allows you to control incoming and outgoing traffic to your server.
By using predefined IP lists in iptables, you can block traffic from known malicious IP addresses, or only allow your own IP blocks.

By combining fail2ban, OpenSSH, and iptables, you can create a layered approach to security that greatly reduces the risk of unauthorized access to the server.

Fail2ban monitors your log files for suspicious activity, such as failed login attempts or repeated requests for non-existent pages. When it detects such activity, it automatically bans the IP address of the offender using iptables.
OpenSSH is configured to use fail2ban as its authentication method. This means that any failed login attempts to your server will be monitored by fail2ban and banned automatically if necessary.
Iptables is configured with predefined IP lists of known malicious IP addresses. Any traffic from these IP addresses will be automatically blocked by iptables before it even reaches your server.

By combining these three tools, you create a powerful security solution that greatly reduces the risk of unauthorized access to your server. Fail2ban and iptables work together to monitor and block suspicious activity, while OpenSSH provides a secure way to access your server remotely.

Overall, the combination of fail2ban, OpenSSH, and iptables with predefined IP lists is a highly effective way to increase the security of your server. By implementing these tools, you can greatly reduce the risk of unauthorized access and ensure that your server is well-protected against malicious activity.

Fail2ban Settings

dbmaxmatches: This option sets the number of matches that are stored per IP address. If this number is exceeded, the IP address is banned.
bantime: This option sets the time in seconds for which an IP address is banned after exceeding the maximum number of allowed login attempts.
maxretry: This option sets the maximum number of attempts login attempts before an IP address is banned.
ignoreip: This option is used to specify the IP addresses that should be ignored by fail2ban.
action: This option specifies the action to be taken when an IP address is banned.

logpath: This option specifies the path to the SSH log file.
port: This option sets the default SSH port.
bantime: This option sets the time in seconds for which an IP address is banned after exceeding the maximum number of allowed login attempts.
maxretry: This option sets the maximum number of allowed login attempts before an IP address is banned.

loglevel: This option sets the log level for fail2ban.
logtarget: This option specifies the log file to which fail2ban logs are written.
dbfile: This option sets the location of the fail2ban database file.
dbpurgeage: This option specifies the time in seconds after which entries older than this value will be purged from the database.
maxretry: This option sets the maximum number of allowed login attempts before an IP address is banned.
bantime: This option sets the time in seconds for which an IP address is banned after exceeding the maximum number of allowed login attempts.
findtime: This option sets the time window in seconds for the maxretry count.
backend: This option specifies the backend used to get file modifications.

enabled: This option enables or disables the SSH jail.
filter: This option specifies the source of the filter configuration.
port: This option sets the port for the sshd service.
logpath: This option specifies the path to the sshd logs.
maxretry: This option sets the maximum number of allowed login attempts before an IP address is banned.
bantime: This option sets the time in seconds for which an IP address is banned after exceeding the maximum number of allowed login attempts.
ignoreip: This option specifies the IP addresses that should be ignored by fail2ban.

fail2ban config

Note: Teated on Oracle Linux



# This configuration file sets Fail2Ban to monitor the SSH logs located in /var/log/secure for failed login attempts. 
# If an IP address fails to login maxretry times, the IP will be banned for bantime (365days in this case). 
# The ignoreip setting specifies IP addresses that should not be banned, such as 127.0.0.1 (localhost). 
# The log level is set to 3 and logging is directed to /var/log/fail2ban.log. 
# The database file used by Fail2Ban is set to /var/lib/fail2ban/fail2ban.sqlite3 
# and entries older than dbpurgeage (86400 seconds or 1 day) will be purged. The backend is set to auto. -->
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 365d
maxretry = 5
backend = auto
loglevel = 3
logpath = /var/log/fail2ban.log
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d

# For the [sshd] section, the logpath is set to /var/log/secure, the SSH port is set to 22, 
# and the bantime and maxretry settings are the same as the defaults set in [DEFAULT]. -->
[sshd]
logpath = /var/log/secure
port = 22
bantime = 365d
maxretry = 5

# This configuration provides a high level of security by banning IPs 
# that have failed to login maxretry times for a long duration (bantime is set to 365 days). 
# Email notifications are disabled by setting action to %(action_)s. -->
[DEFAULT]
action = %(action_)s