Fail2ban on a Virtualmin Server

This document describes how to setup Fail2ban on a Virtualmin server.

Sysadmins who browse their server's logs can see the large amounts of bots trying to guess passwords on their server. We don't want those bots anywhere near our servers, and Fail2ban can help.

Fail2ban is a tool which monitors the logs, and after detecting unauthorized access attempts or malicious intent, can block that system from accessing your server.

Webmin now has built-in support for Fail2ban.

Access the Fail2ban Webmin Module

First, go into Webmin -> Un-used Modules -> Fail2Ban Intrusion Detector.

There, it will tell you that Fail2ban needs to be installed (unless it was already installed on your server, but that's not done by default).

Install Fail2ban

CentOS

CentOS does not come with Fail2ban. However, that's available in EPEL. You can download the various Fail2ban packages from EPEL:

yum install epel-release
yum install fail2ban

Ubuntu/Debian

Ubuntu and Debian provide fail2ban in their repository. Simply click the link on the Fail2ban Webmin module screen to have Webmin perform the fail2ban installation using apt.

Return to Fail2ban Webmin Module Page

Now that Fail2ban has been installed, click "Fail2Ban Intrusion Detector" again, and you should now see options allowing you to configure the Fail2ban service.

Fail2ban is now active

That's it! Fail2ban is now running.

By default, the only rule Fail2ban enables by default is for invalid SSH login attempts. After 6 invalid login attempts, Fail2ban will ban that IP address for 10 minutes. It does this using iptables, and a separate iptables chain just for Fail2ban.

Test it Out!

Now that you've configured Fail2ban, we can test it.

Try logging into SSH 6 times using an invalid password (from a host other than localhost/127.0.0.1, it ignores attempts from there). If it works properly, it'll block access to the host your testing from for 10 minutes.

Additional Configuration

You can see which rules are active in the Filter Action Jails section.

There are a number of pre-set options in the Filter Action Jails that you can choose to enable, though only SSH is enabled by default.

What other things should we look to block?

In Filter Action Jails, you'll see sections for Postfix and Dovecot. We see bots using POP3 and IMAP for guessing passwords; it may be a good idea to have Fail2ban monitor those services.

To enable monitoring of Dovecot (POP3 and IMAP) login attempts, click Filter Action Jails -> Dovecot, set Currently enabled to Yes, and then click Save at the bottom.

You can do the same for Postfix.

To monitor all services using PAM for logins, you could enable the "PAM Generic" jail.

All Done!

You now have the basics configured, and many sysadmins don't need more than that.

However, Fail2ban is very configurable, and you can always create additional things for it to monitor.

For example, some people use it to monitor Apache logs for invalid WordPress login attempts, or a given IP address accessing a URL too many times in a certain time period.

The Fail2ban documentation, including examples of various types of setups, is available on their website: http://www.fail2ban.org/

One Final Thought regarding CentOS and Third Party Repositories

We advise caution when using third party repositories; they can often contain packages that conflict with standard Virtualmin packages, or cause config changes that can break your existing setup.

The EPEL repository we used for CentOS to get fail2ban from is excellent, but even using it can cause occasional problems. You may want to disable it after installing fail2ban, to ensure that you don't install any packages you don't need in the future.

To do that, go into /etc/yum.repos.d, edit the EPEL .repo file, and set "enabled=0".

Alternatively, if you want to be able to receive fail2ban updates but not install other packages, you could edit the EPEL .repo file and set something like the following:

includepkgs=fail2ban*