Introduction to Fail2Ban and UFW. Fail2Ban is a log parsing application that monitors systems log for symptoms of an automated attack of your server. When an attack is being detected, using defined parameters, Fail2Ban will add a new rule to the Firewall (IP-Tables), thus blocking the IP address of the attacker, either for a set amount of time or permanently. Fail2Ban will also give you an alert trough sending an email that an attack is occurring. Fail2Ban is primary focused on SSH attacks, but can also be configured to work with any other system service that uses log files and can be subject to a compromise. Together with UFW (Uncomplicated Firewall) it is a strong layer of extra protection. But before we install Fail2Ban and UFW, we need to ensure that our server is up to date.
apt-get update && apt-get upgrade
Now we can install Fail2Ban and UFW using the following command.
apt-get install fail2ban ufw
Before we enable UFW we want to see if it’s active and what ports are open.
Probably it will tell you that it is inactive now. Whenever UFW is active, you get a list of the current rules that look similar to this below.
[email protected]:~# ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6)
Let this be a warning if we access our server with SSH. It only accepts connections at port 22, so if we made a change of that in the configuration file of sshd before, please re-activate port 22 again to prevent us a block out of the server.
and change # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 1057
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 1057
My SSH sessions were running at port 1057 and I comment out port 22.
Now I enabled it again and now SSH is listing to both ports. Better be safe here, so that we can access our server and don’t get blocked out. Don’t forget to restart the service.
service sshd restart
If we look at the UFW status we can see that only port 22 is active, this means that all other ports are blocked. Don’t worry if your site goes down now, or your FTP has stopped