Using Fail2ban to Prevent Brute Force Attacks

Fail2ban is a tool designed to prevent brute-force attacks by monitoring log files and blocking IP addresses when malicious behavior is detected. Here are the basic usage instructions for Fail2ban:

1. Install Fail2ban:

   For Debian/Ubuntu systems, use the following commands to install:

   sudo apt-get update  
   sudo apt-get install fail2ban  
   

   For CentOS/RHEL systems, use the following commands to install:

   sudo yum install epel-release  
   sudo yum install fail2ban  
   

2. Configure Fail2ban:

The configuration files for Fail2ban are located in the /etc/fail2ban/ directory. First, copy the default configuration file jail.conf to create a new file named jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local  

Edit the newly created jail.local file using a text editor:

sudo nano /etc/fail2ban/jail.local  

In the file, you can configure the following settings as needed:

• ignoreip: Set IP addresses that are not monitored by Fail2ban.
• bantime: Set the ban duration (in seconds), default is 600 seconds (10 minutes).
• findtime: Set the maximum number of failures within this time period (in seconds), default is 600 seconds (10 minutes).
• maxretry: Set the maximum number of allowed failures; exceeding this number will trigger a ban, default is 5 times.

You can also configure individual settings for different services (such as SSH, Apache, Nginx, etc.). In the respective service section, set enabled to true, and adjust other parameters as needed.

3. Start and Enable Fail2ban:

   For Debian/Ubuntu systems, use the following commands to start and enable Fail2ban:

   sudo systemctl start fail2ban  
   sudo systemctl enable fail2ban  
   

   For CentOS/RHEL systems, use the following commands to start and enable Fail2ban:

   sudo systemctl start fail2ban  
   sudo systemctl enable fail2ban  
   

4. View and Manage Fail2ban:

Use the following command to check the status of Fail2ban:

sudo fail2ban-client status  

To view the status of a specific service (such as SSH), use the following command:

sudo fail2ban-client status sshd  

To unban a specific IP address, use the following command:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>  

These are the basic usage instructions for Fail2ban. You can further configure and optimize the settings of Fail2ban according to your actual needs.