Protecting Your VPS Against Brute Force Attacks

A common threat faced by virtual private servers (VPS) is brute force attacks. This cyber attack involves an attacker using trial-and-error methods to decode encrypted data such as passwords or encryption keys. Due to their straightforward nature and automated process, these attacks can pose a significant threat to any unprotected server, potentially leading to unauthorized access and data leaks.

To enhance the security of your virtual private server (VPS), it’s essential to implement robust security measures. Fail2Ban and ConfigServer Security & Firewall (CSF), which includes the Login Failure Daemon (LFD) are two potent tools that can be utilized for this purpose. These tools are not just practical; they are highly effective in helping prevent unauthorized access by monitoring and blocking suspicious activities. In this guide, we will provide instructions on how to set up the Fail2Ban to enhance the security of your VPS. By the end of this guide, you’ll have a solid defensive setup that can significantly reduce the risk of brute-force attacks on your server.

Let’s start with how to configure Fail2Ban on Your VPS.

Setting Up Fail2Ban on Your VPS

Fail2Ban serves as a robust solution for protecting your server by monitoring log files for suspicious activity and automatically banning IP addresses that display signs of malicious intent, such as too many password failures and potential exploits. Here’s how to set up Fail2Ban on your VPS to counter brute force attacks.

Installing Fail2Ban

Fail2Ban is compatible with various Linux distributions, and you can install it using package management tools To install Fail2Ban on Ubuntu and Debian systems, simply open your terminal and input the following command:

sudo apt install fail2ban

For RHEL (i.e. CentOS, AlmaLinux, Rocky Linux), you need the EPEL repository to access the Fail2Ban package. First, install the EPEL repository:

sudo yum install epel-release

After adding the EPEL repository, install Fail2Ban with:

sudo yum install fail2ban

Once installed, you need to enable and start the Fail2Ban service to ensure it runs on boot and is currently active:

sudo systemctl enable fail2ban --now

Configuring Fail2Ban

Fail2Ban can be easily customized to meet different security needs. The primary configuration file is jail.conf, located in /etc/fail2ban/. However, creating a copy of this file named jail.local is recommended to make your custom configurations, as this guarantees that your settings remain intact through software updates.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

To configure Fail2Ban, you need to edit the jail.local file. You can do this using any text editor, such as vi:

sudo vi /etc/fail2ban/jail.local

Configuring the Default Section

The [default] section within Fail2Ban’s configuration file sets default values that are applicable to all jails unless overridden within an individual jail’s configuration. Below are the steps to configure the [default] section:

# Ban hosts for one hour:

bantime = 3600

# An IP is banned if it has failed 5 attempts in a 10-minute period:

findtime = 600

maxretry = 5

# Ignore traffic from your own IP addresses to prevent accidental bans:

ignoreip = 127.0.0.1/8

You can fine-tune the Fail2Ban’s default behaviour by adjusting these parameters:

• bantime: The duration (in seconds) an IP is banned.
• findtime: The period (in seconds) during which consecutive failures are considered in counting attempts.
• maxretry: The number of attempts that trigger a ban after failures within the findtime period.
• ignoreip: A space-separated list that defines which IPs should never be banned. This is crucial for avoiding accidentally banning your IP addresses.

Enabling and Configuring Jails

Each service you want to protect should have its jail configured in the jail.local file. To enable a jail, like SSH for example, make sure that the [sshd] section is set to enabled:

[sshd]

enabled = true

port = ssh

logpath = %(sshd_log)s

You can also set specific parameters for each jail or rely on the [DEFAULT] settings if they are appropriate.

Additional Configurations

To enable and configure additional jails for services such as FTP, SMTP, or HTTP, simply set enabled = true for each respective service section. Tailor port, logpath, and security thresholds according to each service’s specific needs.

Once you have made the necessary changes to the configuration, restart the Fail2Ban service to ensure all your settings take effect:

sudo systemctl restart fail2ban

Monitoring Fail2Ban

To ensure that Fail2Ban is functioning correctly and monitoring the Fail2Ban, check the Fail2Ban log file with:

sudo fail2ban-client status sshd

This command shows the current status of the SSH jail, including active bans.

In the next section, we are going to explore the alternatives to Fail2Ban.

Alternative to Fail2Ban: Using CSF/LFD for Enhanced Server Security

Fail2Ban is a robust tool for protecting against brute force attacks through log monitoring and blocking suspicious Ips, however, ConfigServer Security & Firewall (CSF) with its Login Failure Daemon (LFD) is another powerful alternative. CSF/LFD offers a comprehensive solution for blocking IPs and actively managing server firewall settings.

What is CSF/LFD?

CSF is an advanced firewall configuration script designed to enhance the security with an easier-to-manage interface. It is closely integrated with LFD, a process that scans your server’s logs for signs of brute force attacks and other security threats, much like Fail2Ban. However, LFD extends these capabilities to enforce security policies more actively and directly through the firewall.

Advantages of CSF/LFD Over Fail2Ban

• Integrated Firewall Management: In contrast to Fail2Ban, which primarily focuses on parsing logs and executing server commands based on those logs, CSF includes a full firewall setup and management system, enabling a more comprehensive control over server traffic.
• UI for Configuration and Alerts: CSF provides a user interface that can be accessed through popular web hosting control panels like cPanel, DirectAdmin, and Webmin. This simplifies the process of configuring and monitoring firewall and login failure settings through a web browser.
• More Extensive Features: CSF/LFD encompasses a broader range of functions, including email alerts for various triggers, SPI intrusion detection, and rate limiting for incoming connections, establishing a more robust security framework.

If you are looking to enhance the security of your VPS by exploring CSF/LFD as an alternative to Fail2Ban, consider reading our dedicated article on Installing and Managing CSF/LFD. This article provides a step-by-step guide on how to install, configure, and effectively manage CSF/LFD to protect your server against unauthorized access and attacks.

Conclusion

Ensuring the safety and reliability of your data is crucial when it comes to safeguarding your Virtual Private Server (VPS) against brute force attacks. In this guide, we’ve explored two powerful tools: Fail2Ban and CSF/LFD. Each offers unique advantages for securing your server.

Fail2Ban is straightforward and efficient. It focuses primarily on monitoring log files and blocking IPs that exhibit suspicious behaviour. It’s a great starting point for those new to server security, providing uncomplicated yet powerful protection against common brute force strategies.

CSF/LFD, conversely, provides a more comprehensive security solution. It blocks malicious attempts and manages firewall settings, providing a complete range of security features that are particularly beneficial for those requiring advanced control over server security.

Implementing either of these tools can greatly improve the security of your VPS. Whether you choose Fail2Ban for its simplicity or CSF/LFD for its extensive features, the important step is to start protecting your server today.

Implementing effective security measures such as Fail2Ban or CSF/LFD can prevent potential security threats and safeguard your data. Don’t wait for an attack; act now to secure your VPS!