Fail2ban Tutorial | How to Secure Your Server

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

with great power comes great responsibility well that's a line from my favorite comic book series and i'm sure a lot of you out there you know exactly which comic book i'm referring to but in terms of linode it gives you the power to spin up your very own cloud resources which are publicly available which is awesome but you know you got to be responsible and that means that your lynodes need to be secure and fail to ban is one way that you can add additional security to your lynnode so let's go ahead and take a look at fail to ban and how that can benefit our server so you might be wondering what is fail to ban why do i want it on my linode what is the benefit of having this installed for example let's say on your lynnode you are running some kind of web server maybe nginx apache or something like that and what fail to ban will do is watch your logs for authentication failures for any of the services that you are having fail to ban protect and then it will create a firewall rule to block an ip address that meets the criteria so for example maybe you are allowing seven authentication failures so if somebody tries to you know log in more than seven times they fail the password more than seven times and fail to ban is actually going to create a firewall rule to block that ip address and you can configure it as we'll see later to release that block after some time which can prevent maybe a user in your organization from being permanently locked out maybe after some time that will reset and it's able to protect multiple services so maybe you have more than one service running on your linux that is able to accept connections from the public internet if that's the case then you can actually configure fail to ban to watch all of the services on your lynnode that are remotely accessible so you can get similar protection on those as well and best yet it's completely customizable there are actually multiple different configurations available by default that you could take advantage of right away and if none of the defaults match what you are trying to accomplish then you can simply create your own so with that out of the way let's go ahead and get it set up now the first thing that we need to do is install the fail to ban package and to do that we need to update our package repository index to make sure that everything is synchronized and the apt commands are specific to debian and ubuntu so if you are using a different distribution then go ahead and check out the documentation because there are variations of these commands but first i will run apt update and then next apt install fail to ban enter then enter again to accept the defaults and now we have the fail to ban package installed on our lynode instance and we can go ahead and start configuring it and the next thing we want to do is check out the configuration directory for fail to ban the configuration is in a very specific place etsy fail to ban so i'm just going to change into that directory and as you can see we have quite a few files here i'm not going to go over each of these now the first file is going to be this one right here the failtoban.conf the fail to ban config file that's the main config file so i'll just copy fail2band.conf to failtoban.local just like that and then we can edit the copy and put our changes here and the way this works is if fail to ban sees this fail to ban.local file in the configuration directory it will not overwrite it if the failtoban.conf file if that does get overwritten it's no big deal because you have all of your changes in this file right here and that's the preferred approach so if you do want to change the log file or the log level for example then you can go ahead and do it in this copy of the original file now similar to that we have this jail config file right here which is actually arguably the most important of all of the files because that's where the majority of your configuration and changes will be placed and just like the fail to ban config file the jail config file will also potentially be overwritten if the fail to ban package is updated but just like the fail to ban config file we can make a copy of the jail config file to jail.local just like that and we can actually work off of the copy instead of the original and again all of the changes that we make to this file right here will be respected and applied we'll scroll down a bit and what we are looking for is this ignore ip option right here i'm going to delete the symbol in front the hash symbol on comment that out and then what you can do is add the ip address right here that you are coming in from when you access your lynnode you can go to a site like whatismyipaddress.com or a similar site to get your public ip you can go ahead and put that in right here so for example that might look something like this or whatever your ip happens to be now right here we have the band time option and it's probably obvious but basically what that means is if an ip address does get banned how long is it banned for it defaults to 10 minutes you could be more aggressive or more lenient it's up to you and also we have the find time right here which also defaults to 10 minutes and what that means is that we have to have a certain number of failures within that time so if you set this to one minute for example then you have to have a certain number of failures in one minute to trigger fail to ban it's defaulting to five we actually see that right here that's how many failures are allowed before a host gets banned so in this case it's five so what we can see is that if five failures happen within 10 minutes then that ip address is going to get banned so if you set this for example to 10 then you have to have 10 failures in 10 minutes or you can set this to 60 minutes for an hour which means you have to have five failures within an hour it's completely up to you but anyway you want to go ahead and take some time to think of these options and decide how lenient you actually want to be when it comes to failures now if we scroll down a bit more here we actually have some options for email and this is optional now earlier i installed send mail and that's required if you want to go ahead and get email alerts you can also use other mail transfer agents i'm not going to get into other ones here or mail server configuration but what we could do here is actually set the email addresses where reports are going to be sent if someone does get banned it's going to default to root at local host which means essentially nobody will see it unless they're logged into the system and they actually inspect the mail files but what we could do here is we can actually type in an email address just like that it's also a good idea to set the sender so we could do something like fail to ban at whatever our domain happens to be so nothing too surprising there just keep that in mind if email alerts are something that interests you you probably do want to take advantage of that if you can at this point what i'm going to do is scroll down there's a very important section that you want to pay special attention to and that's the jail section which is where i am right now now right here we have the ssh daemon which is a very very very very very very important thing to protect so you're going to want to use fail to ban on ssh if you can now what i'm going to do is basically send this editor to the background with control z and there's a special command that we can use to see which jails are actually active and that's fail to ban client just like that then we could do status and what we can see here is that in the jail list we have sshd and what that means is that that particular jail is already enabled there's nothing that we have to do so if i foreground the editor here we can see that we are in the sshd section normally what we can do is enabled and then equals true just like that to enable a jail and if i save the file and restart fail to ban then that will go ahead and activate the jail now you want to be careful you don't want to enable everything you might be tempted to think that you want every protection that fail to ban will offer you don't want to do that you only want to enable the things that actually apply to your leno the things that are installed so for example if your linode is using nginx and not apache then you definitely do not want to enable apache jails because that can actually make fail to ban itself fail in which case it's not going to give you any benefit because if it tries to run a jail for which there is no underlying demon for then again it's going to fail and that's no good for anyone so i guess you're probably wondering what a jail even is in the first place we could see again that we have multiple jails but what are they what a jail is is a combination of a filter and some form of action it's like cause and effect earlier you saw some configurations such as the band time that determines how long that individual is being banned and they basically have their ip put in the firewall as being blocked and then after a while depending on your settings they will be on band that will significantly discourage somebody from the outside that's trying to get into your server because if they're only able to try to break into your server five times every 10 minutes then a brute force is really not very realistic in fact it's just not worth their time to try to get into your server so the general process is you take a look through the jails that are already here and if the jail that you want to enable or the thing that you want to protect is here you can just simply type enabled and then equals true just like that to turn that on again you only want to do that for things that are actually running on your server and that will make sure that you are taking advantage of all of the protections that are available to you fail to ban is awesome as you just saw it's very easy to implement and even though it's not going to protect your server from every possible security threat or vulnerability that might come your way it does represent an additional layer of security and that's what it's all about having a really good security regimen on your servers all comes down to how many layers of security and how many tweaks optimizations and protections you've implemented and this is just one of those this is just the beginning so in this video we were able to install fail to ban we were able to configure it and now it should be protecting your server and from here you can check out other videos and articles on this site that can allow you to basically take your security even further thanks for [Music] watching [Music] you

Info

Channel: Linode

Views: 17,655

Rating: undefined out of 5

Keywords: linux web server, fail2ban tutorial, fail2ban linux, learn linux, linux server, open source, learn linux command line, fail2ban ssh mode, fail2ban ssh tutorial, secure apache web server, secure home web server, linux server setup tutorial, fail2ban ssh ubuntu 20.04, fail2ban tutorial ubuntu, fail2ban ssh debian, fail2ban ssh ubuntu 20, fail2ban ssh, linux, ubuntu, debian, vps, server, cloud, devops, server build, server config, linux vps, fail2ban apache, linux server security

Id: kgdoVeyoO2E

Channel Id: undefined

Length: 11min 51sec (711 seconds)

Published: Wed Oct 07 2020