Brute-force attacks and your VPS – Fail2Ban

January 26, 2021

One of the most common types of hacker attacks, amongst DDoS, is a brute-force attack. It is carried out by hackers running a script that has a list of millions upon millions of possible passwords in record time. The most common goals of such attacks are to steal personal information, use your information for phishing, ruin your organization’s reputation and compromise your website. Most of the businesses that experience a successful attack of such a manner shut down in about six months. A brute-force attack might be recognized by seeing an increased load in your server from the influx of post requests or seeing failed login attempts coming from one IP address. Now, let’s talk about how you can prevent these site breaches.

Installing VPS Fail2Ban

For VPS Fail2Ban is a software made specifically to protect your server by recognizing patterns that might resemble an attack and, on your services, and servers. If the attack is actively ongoing, the software will ban the origin IP. An active attack might be recognized as repeatedly failed attempts to log in to your servers via the SSH protocol, using different usernames and passwords. Now, let’s look at the process of installing Fail2Ban on Ubuntu 16.04 step by step:

To install the protective tool on Debian/Ubuntu, you will need to run these commands:

sudo apt-get update
sudo apt-get install fail2ban -y

After the installation, the default configuration file can be found installed at /etc/fail2ban/jail.conf . For the software to suit your environments you will need to edit this file. Furthermore, you will need to individually set the services that your server is running by exploring the list, ass each service will have its own section.

Configuring Fail2Ban

To open and configure the file, you will need to run these commands:

sudo get-apt install nano
sudo nano /etc/fail2ban/jail.conf

The SSH protocol is protected and enabled by default. Without you applying any further changes, anyone who tries to brute-force their way into your website will be timed out or banned after 6 tries. As the default protocol ports are protected by Fail2Ban, any services configured on your server to use non-standard ports will have to be specified with the new port number for the service.

Let’s say, you change your port number from 33 to 3333. This will need to be defined within configuration:

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

All the other services, although configured, are not yet enabled. You can tell this by the false value under the enabled status. To change that, just swap the value to true.

The explanation of the configuration goes as follows:
• Enabled – Fail2Ban can monitor the server.
• Port – port number of the service to be monitored. If changed to something else than a standard port, it must be specified within the configuration.
• Filter – the rule and string list that Fail2Ban uses to determine if a particular service is under attack.
• Logpath – by default is the auth.log file where all the logs restored. If changed, this must be specified in the configuration also.

With these basic guidelines, you should be able to configure your Fail2Ban policies on your server. It is a great way to protect against the most common attacks.