简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Article  >  Operation and Maintenance  >  How to use the Fail2ban tool to prevent brute force attempts

How to use the Fail2ban tool to prevent brute force attempts

王林
王林Original
2023-07-08 19:15:101862browse

How to use the Fail2ban tool to prevent brute force attempts

Introduction: The popularity of the Internet has made network security issues a very important topic. Among them, brute force attempts are one of the common security threats. In order to effectively prevent brute force cracking behavior, we can use the Fail2ban tool to help us implement protective measures. This article will describe how to use the Fail2ban tool to prevent brute force attempts and provide some code examples.

1. Introduction to the Fail2ban tool

Fail2ban is an open source firewall tool that is specially used to monitor system logs and configure rules to detect and block IP addresses with malicious intentions. It can automatically monitor the system's log files, and when it detects frequent failed login attempts, it will temporarily prohibit access to the IP address to prevent brute force cracking.

2. Install Fail2ban

Before we begin, we first need to install the Fail2ban tool. On most Linux distributions, it can be installed through the package manager: 

sudo apt-get install fail2ban

3. Configure Fail2ban

  1. Create the configuration file

In the configuration Before Fail2ban, we need to create a new configuration file. Run the following command in the terminal: 

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

This will copy the default Fail2ban configuration file to a new file.

  1. Edit configuration file

Open the newly created configuration file /etc/fail2ban/jail.local and edit it as needed. The following are some common configuration items:

  • ignoreip: Ignore certain IP addresses and do not detect and block them. For example: ignoreip = 127.0.0.1/8
  • bantime: ban time in seconds. The default is 600 seconds. For example: bantime = 3600
  • maxretry: Maximum number of retries. If the number of consecutive failures for an IP address exceeds this value within a certain period of time, the IP address will be banned. For example: maxretry = 5
  • destemail: When an IP address is banned, the target email address for sending an email notification. For example: destemail = admin@example.com
  • action: The action that triggers the ban operation. It can be sending an email notification (admin), adding it to the firewall (RBLOCK), etc. For example: action = %(action_mwl)s

The following is a sample configuration:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
maxretry = 5
destemail = admin@example.com
action = %(action_mwl)s

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s

In this sample configuration, we ignore the local IP address and set the ban time to 1 hour, the maximum number of retries is 5. When an IP address is banned, an email notification will be sent to admin@example.com, and the IP address will also be added to the firewall rules.

  1. Save and close the file

After completing the configuration, save and close the file.

4. Start Fail2ban

After the configuration is completed, we need to start the Fail2ban service to make it effective. Run the following command in the terminal: 

sudo systemctl start fail2ban

In addition, you can also set Fail2ban to start automatically at boot, which ensures that it runs automatically when the system starts: 

sudo systemctl enable fail2ban

5. Test Fail2ban

Finally, we can run some tests to verify that the Fail2ban tool is working properly.

  1. Try brute force cracking

In order to test the protection capabilities of Fail2ban, we can try to log in to the server using a wrong password. You can use the ssh command to test: 

ssh username@your_server_ip

After trying multiple times, Fail2ban should automatically detect these failed attempts and ban the corresponding IP address.

  1. Check the ban log

To see which IP addresses have been banned, you can run the following command: 

sudo fail2ban-client status

This will display the currently banned IP addresses list.

Conclusion:

By using the Fail2ban tool, we can effectively prevent brute force attempts. With the help of Fail2ban's configuration rules, we can automatically monitor the system's log files and block malicious IP addresses for frequent failed login attempts. This can greatly improve the security of the system and protect the security of the server and user data.

Reference link:

  • [Fail2ban official website](https://www.fail2ban.org/)
  • [Fail2ban GitHub repository](https:/ /github.com/fail2ban/fail2ban)

The above is the detailed content of How to use the Fail2ban tool to prevent brute force attempts. For more information, please follow other related articles on the PHP Chinese website!

github https 网络安全 linux ssh
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:How to configure your CentOS system to prevent the spread and intrusion of malwareNext article:How to configure your CentOS system to prevent the spread and intrusion of malware

Related articles

See more