How to Install and Configure Fail2ban on Ubuntu Server 16.04

Have you ever logged into your server and seen a message such as this?

Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
There were 942 failed login attempts since the last successful login.
Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101

What happened here? This message is informing me that while I was logged out, there were 942 failed attempts to access my server via SSH! This type of message is a strong indicator that my server was probably under a “brute force” attack. In this type of scenario, an attacker will attempt to randomly guess passwords repeatedly until they get lucky with the correct password. This is one reason why using a secure password is so important! Fear not, Fail2ban can be a fantastic tool for dynamically thwarting these types of brute force attacks. This tutorial will walk you through installing and configuring Fail2ban to help protect sshd from brute force attacks. Let’s dig in!

Note:
The remainder of this tutorial requires you to have root privileges. Start by either logging in as root or prefix these commands with sudo.

 

Installing Fail2ban on Ubuntu Server 16.04 is simple. Run the following two commands to install the program:

apt-get update

apt-get install fail2ban -y

We will start the service, so it is running.

service fail2ban restart

Finally, we check to make sure Fail2ban is running after the restart:

service fail2ban status

The output should display active (running) which indicates the service is up and we’re ready to proceed to configuration.

 

Now that Fail2ban is installed and running, we can define custom rules for what services it protects, and how to handle violations.

First, create a configuration file for Fail2ban. This file doesn’t exist by default, but Fail2ban will look for this file and read the contents if it exists:

touch /etc/fail2ban/jail.local

Now we’ll open the configuration file for editing. We’re using vi as our text editor in this example, but feel free to use nano or whatever text editor you are most comfortable with. (Related: check out our helpful tutorial if you need to brush up on how to use vi.) Run the following command to open the file for editing:

vi /etc/fail2ban/jail.local

Paste in the following contents, and save the file:

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Let’s review the options we just set. First, we are telling Fail2ban to ignore IP addresses 127.0.0.1 and ::1. These are the IPv4 and IPv6 addresses for localhost, respectively. For the remaining lines, it is important to understand Fail2ban reads time as seconds in the configuration file. These rules will ban IP addresses for one hour {bantime = 3600}, if they make 5 mistakes {maxretry = 5}, within 10 minutes {findtime = 600}. Finally, we enabled the jail for sshd. Feel free to adjust these numbers to your liking, but please consider the following:

Note:
Setting a ban time of -1 will result in a permanent ban on that IP address. You may need to contact Liquid Web support if you accidentally block yourself from your own server. Consider these options carefully!

Now that we have created a configuration to use, restart Fail2ban so that our new rules are read and utilized:

service fail2ban restart

We will also double check to make sure Fail2ban is running after the restart:

service fail2ban status

Note:
If Fail2ban does not start successfully after creating your configuration file, it is possible you have a typo in the configuration file /etc/fail2ban/jail.local. Check the file contents and try again!

 

At this point, you have successfully installed and configured Fail2ban, congratulations! For the remainder of this tutorial, we will show you how to use to use the program and how to manage IP blocks.

Run the following command to check the status of Fail2ban:

fail2ban-client status

Example output shows you the number of currently configured jails. Right now we have only created a jail for sshd:

Status
|- Number of jail:    1
`- Jail list:    sshd

You can also poll the detailed status of individual jails. This command will check the status of the sshd jail we just configured:

fail2ban-client status sshd

Example output shows no IPs blocked, looks good!

Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    0
`- Banned IP list:

Now, for example, I’m going to fail five attempts to SSH to my server. After the fifth failed attempt, my IP should be automatically blocked! The following shows the output from my workstation when I try to SSH to the server after the fifth failed attempt:

ssh root@192.168.0.101
ssh: connect to host 192.168.0.101 port 22: Connection refused

The “connection refused” message indicates that the server’s firewall is now blocking us.

Back on the server, let’s again check the status of the SSH jail by running:

fail2ban-client status sshd

The output shows that my IP has indeed been blocked! Looking at the status, we can see my workstation’s IP address has been added to the “Banned IP list”.

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    1
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    1
|- Total banned:    1
`- Banned IP list:    192.168.0.102

Finally, we will demonstrate how to remove a banned IP. This is helpful if you have clients that accidentally block themselves from incorrect password attempts. The syntax for this command is as follows:

fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS>

For example, this command will delist 192.168.0.102 from the sshd jail.

fail2ban-client  set sshd unbanip 192.168.0.102

Let’s double check our work and make sure my IP address has been successfully unblocked:

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    6
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    1
`- Banned IP list:

That wraps it up for this tutorial! We only discussed protecting sshd in this tutorial, but Fail2ban can be used to help protect all kinds of other services such as httpd. We encourage you to do some further reading and see what it is capable of! Just remember that while Fail2ban is awesome, it is not a replacement for a strong set of firewall rules. When properly configured, however, Fail2ban is a great tool to help further harden your server’s security. Have fun and happy IP blocking!

 

Install Rsync and Lsync on CentOS, Fedora or Red Hat

Have you ever needed to copy files from your local computer over to your web server? You may have previously used File Transfer Protocol (FTP) applications for this task, but FTP is prone to being insecure and can be challenging to work with over the command line. What if there was a better way? In this tutorial, we’ll be covering two popular utilities in the Linux world to securely assist in file transfers, rsync and lsyncd. We’ll show you how to install and use both in this article. Let’s dig in!

Continue reading “Install Rsync and Lsync on CentOS, Fedora or Red Hat”

How to Use IPMI

IPMI (Intelligent Platform Management Interface) is a great way to manage your server remotely. Having IPMI combined with a Liquid Web VPN is similar to having a remote Kernel-based Virtual Machine (KVM) attached to your server. You’ll be able to perform actions remotely which traditionally accomplished when physically present at the machine. This process includes viewing the startup process, changing BIOS settings, installing the OS, and even power cycling your server. This guide is intended to walk you through the IPMI web interface, and explain the various pages. If you need help accessing IPMI, try this Knowledge Base article instead!

Note:
Some functionality of the IPMI portal has been locked down by Liquid Web. As a customer, you have “Operator” level permissions. Only IPMI “Administrators” can perform specific actions in the web portal. This article covers what is primarily available to IPMI Operators!

This view is the first page displayed when you log into the IPMI web portal. There are a few important pieces of information on this page, including your IPMI IP address, the firmware revision of the IPMI BMC, and your system’s MAC addresses. The “Remote Console Preview” page gives you a small thumbnail display of what the video display would look like if directly connected to your server. Also note that you can perform some power cycling actions from this page, including “Power On,” “Power Down,” and “Reset.”

System Info within IPMI

 

While there is not much to look at on this page, it is one of the most important pages on the web portal! Clicking the “Launch Console” button will allow you to remotely connect to your server as if you had a KVM installed. When you click the button, your browser will prompt you to download a new file called “launch.jnlp.”

Note:
You will need Java installed to run this application.

Console Redirection page shows the "Launch Console" button

 

The “Event Log” page displays some fundamental logging information from the IPMI console. This page will keep a record of IPMI logins, and some other information on who accessed the system.

Note:
IPMI Operators will only be able to view these logs. Only IPMI Administrators maintain the ability to clear the logs.

Event Log shows who has accessed the server.

 

On this page, you can mount a CD-ROM ISO stored remotely on a Window share which can be useful if you would like to install a custom operating system remotely.

Note:
Installing a custom operating system may hamper Liquid Web’s ability to assist you! We have many officially supported operating systems available, ask your sales representative for more info.

IPMI gives you the ability to add your own OS.

 

The Virtual Media page allows you to upload a small binary image, (1.44MB max size,) directly to the IPMI controller in your server, allowing you to boot from legacy “floppy disk” images. While mostly un-necessary in today’s tech landscape, this option can still be helpful to some users.IPMI gives you the ability to add binary through floppy disk.

 

The Server Health page displays a small amount of information mostly permitting you to see some version information on the IPMI product.

Note:
Under normal circumstances, many of these fields will be blank, and there is limited information available on this page.

Check the version of your IPMI instance.

 

This page displays information gathered by sensors on the motherboard. You can see information on many physical aspects of your server here. For example, some data here includes fan speed, component temperatures, voltage readings on the CPU and RAM, and more.

Sensor Readings show fan speed, temps, CPU and RAM.

 

The “SOL” Console (Serial Over LAN Console) is a serial console connection to your server. With particular use cases, it is only useful for redirecting serial input/output over LAN.

The serial console connection, useful for redirecting serial input/output over LAN.

 

So covers the functionality available to IPMI Operators. When appropriately used, IPMI can be a valuable tool in maintaining your server. It provides similar level access as if you were physically present in front of your server. It used to be that this capability was only possible when purchasing additional expensive KVM hardware. Liquid Web Dedicated Servers have this functionality as a standard at no extra cost! Give us a call if you have any questions, or would like to discuss getting an IPMI capable server.