How to use fail2ban to protect your server

Once your server is set up and online, it becomes vulnerable to hackers' probes and attacks. Hackers use thousands of hosts to scan servers, exploit vulnerabilities, and crack passwords. Once they gain control of the server, they use it to send spam, run mining software, or attack other servers.

It is important that you protect your host once you have set up a server. By default, the Linux system comes equipped with a firewall that blocks access to ports other than the SSH service. However, if you want to provide services to the public, you will have to open the appropriate port, such as http, mail port (pop3, smtp), etc., to allow access to other hosts on the Internet.

To enhance the security of your system, it is important to not only use a firewall but also carefully configure the necessary services to minimize the risk of attacks and exploitation. In addition, you can use additional software to enhance the security of the system. Fail2ban is software that can protect your server from attackers. 

Fail2ban monitors the logs of the corresponding services in the system and adds the attacker's IP to the system firewall when the corresponding attack is found and exceeds the preset attack count, as defined in the configuration file. 

To install and configure Fail2ban in a CentOS system, follow these steps:

1. Install fail2ban using yum:

   # yum install fail2ban

2. Enable fail2ban to start automatically on boot:

   # systemctl enable fail2ban

3. Create a configuration file by copying jail.conf to jail.local:

   # cd /etc/fail2ban 
   # cp jail.conf jail.local 

   The created jail.local file will take precedence over jail.conf, and the settings in jail.conf will be used only if the relevant settings do not exist in jail.local. 
    

4. Open and edit jail.local file, delete all the sections you don't want to modify, only leave sections of the services you want to monitor.  The edited file should look like this:

   [DEFAULT] 
         ignoreip = 127.0.0.1/8
         bantime  = 86400
         findtime  = 600 
         maxretry = 5 
         action = %(action_mwl)s 
   [postfix]
         enabled= true 
         filter = postfix 
         bantime  = 864000 
         maxretry = 1 
         port     = smtp,465,submission 
         logpath  = %(postfix_log)s 
         backend  = %(postfix_backend)s 
         #action = firewallcmd-ipset 
   [dovecot] 
         enabled = true 
         bantime  = 3153600 
         filter = dovecot 
         maxretry = 2 
         port    = pop3,pop3s,imap,imaps,submission,465,sieve 
         logpath = %(dovecot_log)s 
         backend = %(dovecot_backend)s 
   [postfix-sasl] 
         enabled = true 
         filter = postfix-sasl 
         bantime  = 864000 
         maxretry = 2 
         port     = smtp,465,submission,imap3,imaps,pop3,pop3s 
         logpath  = %(postfix_log)s 
   [drupal-auth] 
         enabled  = true 
         filter   = drupal-auth 
         bantime  = 86400 
         maxretry = 3 
         port     = http,https 
         logpath  = %(syslog_daemon)s 
         backend  = %(syslog_backend)s 

   As shown in the above example configuration, we let fail2ban monitor postfix, devocot and drupal logs. In each section, filter is the name of corresponding filter configuration file in filter.d directory. You can either set maxretry and bantime to appropriate value or delete them and use default value defined in DEFAULT section. If you want to monitor other services, locate and copy the related sections from jail.conf to jail.local and enable them using enabled = true.

5. Save and close the file.

6. Restart fail2ban.

   # systemctl restart fail2ban