January 10, 2017

Using Fail2Ban and UFW to secure NGINX and WordPress and other system services

Introduction to Fail2Ban and UFW. Fail2Ban is a log parsing application that monitors systems log for symptoms of an automated attack of your server. When an attack is being detected, using defined parameters, Fail2Ban will add a new rule to the Firewall (IP-Tables), thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2Ban will also give you an alert trough sending an email that an attack is occurring. Fail2Ban is primary focused on SSH attacks, but can also be configured to work with any other system service that uses log files and can be subject to a compromise. Together with UFW (Uncomplicated Firewall) it is a strong layer of extra protection. But before we install Fail2Ban and UFW, we need to ensure that our server is up to date.

apt-get update && apt-get upgrade

Now we can install Fail2Ban and UFW using the following command.

apt-get install fail2ban ufw

Before we enable UFW we want to see if it’s active and what ports are open.

ufw status

Probably it will tell you that it is inactive now. Whenever UFW is active, you get a list of the current rules that look similar to this below.

[email protected]:~# ufw status Status: active To Action From -- ------ ---- 
22 ALLOW Anywhere 
22 (v6) ALLOW Anywhere (v6)

Let this be a warning if we access our server with SSH. It only accepts connections at port 22, so if we made a change of that in the configuration file of sshd before, please re-activate port 22 again to prevent us a block out of the server.

nano /etc/ssh/sshd_conf

and change # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 1057

nano /etc/ssh/sshd_conf

and change

# Package generated configuration file 
# See the sshd_config(5) manpage for details 
# What ports, IPs and protocols we listen for 
Port 22 
Port 1057

My SSH sessions were running at port 1057 and I comment out port 22.

Now I enabled it again and now SSH is listing to both ports. Better be safe here, so that we can access our server and don’t get blocked out. Don’t forget to restart the service.

service sshd restart

If we look at the UFW status we can see that only port 22 is active, this means that all other ports are blocked. Don’t worry if your site goes down now, or your FTP has stopped

Share

You may also like...

1 Response

  1. гостиницы на сокольниках says:

    It’s very trouble-free to find out any topic on net as compared to books, as I found this piece of writing at this website.

Leave a Reply

Your email address will not be published. Required fields are marked *