{"id":95,"date":"2011-04-03T11:00:25","date_gmt":"2011-04-03T10:00:25","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=95"},"modified":"2013-06-15T13:18:41","modified_gmt":"2013-06-15T12:18:41","slug":"quick-and-easy-tutorial-on-installing-and-configuring-fail2ban-on-an-amazon-ec2-instance","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/04\/2011\/quick-and-easy-tutorial-on-installing-and-configuring-fail2ban-on-an-amazon-ec2-instance\/","title":{"rendered":"Quick and Easy Tutorial on Installing and Configuring fail2ban on an Amazon EC2 Instance"},"content":{"rendered":"<p>This article will serve as a quick tutorial on installing and configuring fail2ban on an Amazon EC2 instance.<\/p>\n<p>I like to think of fail2ban as a &#8216;second line&#8217; of defence against systematic attempts to break through and access SSH on a server.<br \/>\nFirst line of defence should always be disabling the root log-in, using strong passwords\/using private keys for log-on, etc.<br \/>\nIt can do a lot more than protecting against brute-force SSH attacks using regex&#8217;s but that is not in the scope of this tutorial.<\/p>\n<p><!--more--><\/p>\n<h2>Installation<\/h2>\n<p>I am assuming the instance you want to install fail2ban on is the default Amazon Linux AMI. If you are using another Linux distribution, the syntax to some of the commands listed below may be slightly different.<\/p>\n<p><code>sudo wget http:\/\/downloads.sourceforge.net\/project\/fail2ban\/fail2ban-stable\/fail2ban-0.8.4\/fail2ban-0.8.4.tar.bz2?use_mirror=kent<br \/>\nsudo tar -xjvf fail2ban-0.8.4.tar.bz2<br \/>\ncd fail2ban-0.8.4<br \/>\nsudo python setup.py install<br \/>\nsudo cp files\/redhat-initd \/etc\/init.d\/fail2ban<br \/>\nsudo chkconfig --add fail2ban<br \/>\nsudo chkconfig fail2ban on<br \/>\nsudo service fail2ban start<\/code><\/p>\n<h2>Configuration<\/h2>\n<p>There are some important parameters that you should understand and set before leaving fail2ban to do its thing.<br \/>\nThe figures below should be set by someone who understands the system well and what it is used for (hopefully you). For example, if you have hundreds or thousands of users, you don&#8217;t want to set the ban limit too low, otherwise you will undoubtedly receive many complaints from users entering their passwords incorrectly \ud83d\ude42<\/p>\n<p>The following parameters can be found in the jail.conf (or jail.local file) found @ \/etc\/fail2ban:<\/p>\n<ul>\n<li>ignoreip &#8211; Set your own IP address here so that you don&#8217;t accidentally lock your self out! (a DNS host would be better if you are on a dynamic IP)<\/li>\n<li>bantime &#8211; the number of seconds an IP address is put on the &#8216;ban list&#8217;<\/li>\n<li>maxretry &#8211; Number of failed attempts before banning the IP address<\/li>\n<li>findtime &#8211; If maxretry attempts made within findtime seconds, then ban IP address. For example; if findtime is 600 seconds and maxretry is 3&#8230; a user will be banned if they make 3 attempts within 10 minutes. If they make 2 attempts in 9 minutes and make the 3rd 5 minutes later; they will not be banned.<\/li>\n<\/ul>\n<p>You also want to set the &#8216;enabled&#8217; parameter to <em>true<\/em> under <strong>[ssh-iptables]<\/strong><\/p>\n<p>Also, if you have not configured sendmail on your server or you do not want fail2ban sending mail, just comment out the line beginning with <em>sendmail-whois<\/em> with a # (hash symbol)<\/p>\n<p>Last but not least, change the <em>logpath<\/em> to the path where the security log is stored. On the Amazon Linux AMI&#8217;s, this is stored @ <strong>\/var\/log\/secure<\/strong><\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/04\/fail2banSSHConfig.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-100\" title=\"fail2banSSHConfig\" alt=\"fail2ban SSH Configuration\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/04\/fail2banSSHConfig.png\" width=\"578\" height=\"116\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/04\/fail2banSSHConfig.png 578w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/04\/fail2banSSHConfig-300x60.png 300w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/a><\/p>\n<p>After making these changes, you should restart the fail2ban service:<\/p>\n<p><code>service fail2ban restart<\/code><\/p>\n<h3>Optional<\/h3>\n<p>I like to have my fail2ban logs (these are internal fail2ban logs such as which IP addresses have been banned and unbanned) write out to the same directory as where the configuration files are stored. If you would like to change the location of the fail2ban log files, simply open up the fail2ban.conf found @ <strong>\/etc\/fail2ban\/<\/strong> and change the <em>logtarget<\/em> parameter.<\/p>\n<h2>Uninstallation<\/h2>\n<p>If you want to remove the fail2ban package, simply execute the following:<\/p>\n<p><code><br \/>\nsudo service fail2ban stop<br \/>\nsudo chkconfig fail2ban off<br \/>\nsudo rm -rf \/etc\/fail2ban<br \/>\nsudo rm \/etc\/init.d\/fail2ban<br \/>\nsudo rm \/var\/log\/fail2ban*<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article will serve as a quick tutorial on installing and configuring fail2ban on an Amazon EC2 instance. I like to think of fail2ban as a &#8216;second line&#8217; of defence against systematic attempts to break through and access SSH on a server. First line of defence should always be disabling the root log-in, using strong [&hellip;]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[14,15,16,13,17],"class_list":["post-95","post","type-post","status-publish","format-standard","hentry","category-tech","tag-amazon","tag-aws","tag-ec2","tag-fail2ban","tag-ssh"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-1x","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/95","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=95"}],"version-history":[{"count":2,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/95\/revisions"}],"predecessor-version":[{"id":943,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/95\/revisions\/943"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=95"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=95"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=95"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}