Activate Fail2Ban NOW!!!

While I was building the video's for a secure eMail server, I wound up in the log files trying to find out what mistake I made while setting up my Postfix software. While in the logs I saw a set of IP Addresses that I knew weren't mine. They are from a variety of provinces in China. I'm not surprised, but because of hindsight I decided to push this page to an earlier stage in the lessons. Just assume your new server will be getting hacked at all times by the whole world. Fail2Ban will go a long way to protecting your server from many effective brute force attacks.

By default your Filter Action Jail's will only have the SSHD jail enabled. You should go ahead and turn on the other appropriate Filter Action Jails for your particular set-up, but be advised, turn on each one alone then Return to module index and Restart Fail2Ban Server.

I give this advice because some of the Filter Action Jail's don't come on without an error, and if you turn on a bunch, the error message won't help you know which one needs tweaking to turn on properly. Typically you only need to initiate a log to get a fussy jail to turn on. As of writing this, I have the following enabled:

  • sshd-ddos
  • apache-badbots
  • apache-fakegooglebot
  • apache-shellshock
  • php-url-fopen
  • webmin-auth
  • recidive
  • xinetd-fail
  • sshd

As I activate other correlated services, I will enable more of the long list of available Filter Action Jail's.

If you run into trouble activating Filter Action Jail's that you need, make sure you picked the matching entry in "Filter to search log for" from the drop-down while in Edit Jail mode. Also, if you get an error, look careful at the error message when you "Restart Fail2Ban Server" because it's usually some log file you never activated. If it's complaining about a log file, go to System => System Logs, then look for the one from the error message, then click it's link to edit it and turn it on. If the log file isn't there to turn on, you might not have the software installed that would write to that log.

(added on 9/14/2017)

I found this pretty cool how-to that automates the permanent banning of repeat offenders, but it's instructions are command line, however you can use techniques in my videos to do it mostly by point and click.

https://wireflare.com/blog/permanently-ban-repeat-offenders-with-fail2ban/

Next Section: Web Server Prep