Linux Server setup

Protection against DoS Attacks with Fail2ban

The software Fail2ban registers excessive and repetitive requests to the server, as is common in a Denial of Service (DoS) attack. In doing so, it monitors the log files and blocks IP addresses if necessary.

We will additionally sensitize Fail2ban to too many SSH login attempts.

First, we install Fail2ban.

We'll look at Linux's package management system (apt) in more detail in the chapter, so we'll perform the installation here without further explanation.

Install Fail2ban with apt:

__$ sudo apt install fail2ban -y

We first create a jail.local file with touch:

__$ sudo touch /etc/fail2ban/jail.local

We can make our modifications to this jail.local file. This remains with us with updates and is not overwritten like the jail.conf.

Let's open it for editing with nano:

__$ sudo nano /etc/fail2ban/jail.local

In the file we write the following configuration



enabled   = true
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
ignoreip  =
bantime   = 3600
findtime  = 600
maxretry  = 6

There is actually not much leeway in the parameters, except for maxretry, which is the number of failed attempts within a time window. In this case 6 login attempts are allowed before the IP is temporarily banned.

Brief explanation of the most important parameters:

  • ignoreip = ignores internal services
  • bantime = 3600: seconds that an IP is blocked (3600 = 60 minutes).
  • findtime = 600: time limit for failed attempts
  • maxretry = 6: number of failed attempts until an IP is blocked.

Let's restart Fail2ban for the changes to take effect:

__$ sudo systemctl restart fail2ban

And also check the status:

__$ sudo systemctl status fail2ban

There should be a active (running) feedback.

Testing is simple. Just exhaust the set failures (maxretry). But note: If you are locked you need either a new IP from the provider (if possible) or you lower the seconds of the bantime before (restart fail2ban.service if you change).

Unlock IP addresses in Fail2ban again

Unlock an IP in Fail2ban (separate multiple IPs with spaces):

__$ sudo fail2ban-client unban 123.456.789.013

Clear Fail2ban IP table:

__$ sudo fail2ban-client unban --all