Enhancing Linux Security: How to Automatically Block Suspicious IPs with iptables and Fail2Ban

Are you looking for an effective way to protect your Linux server from malicious attacks? This guide walks you through setting up a custom script that works in tandem with powerful tools like iptables and Fail2Ban. Whether you’re a seasoned system administrator or a hobbyist, you’ll find this beginner-friendly approach invaluable for securing your VPS, web server, or home Linux environment.

What Are iptables and Fail2Ban?

iptables

iptables is a command-line firewall utility embedded in most Linux distributions. It applies rules, or policy chains, to manage incoming and outgoing network traffic effectively. Think of iptables as your server’s gatekeeper, allowing only trusted traffic while blocking potential threats.

Fail2Ban

Fail2Ban monitors log files in real-time, searching for suspicious activities like repeated failed login attempts. When it detects anomalies, such as a brute-force attack targeting your SSH, it steps in to ban the offending IP by modifying iptables rules. Customizable settings allow you to dictate how many failed attempts will trigger a ban, the duration of that ban, and more.

Why Use a Custom IP Blocker Script?

While Fail2Ban is effective on its own, a custom IP blocker script enhances your server’s security. This script provides flexibility to block or unblock IPs seamlessly without modifying complex firewall rules. For instance, if you need to respond to specific patterns flagged by a monitoring tool, your script can integrate those alerts for automatic blocking.

This functionality is particularly beneficial in larger environments, making life easier for systems administrators managing multiple servers.

Step 1: Installing iptables and Fail2Ban

First, ensure both iptables and Fail2Ban are installed. For Debian-based systems like Ubuntu, update your package list:

sudo apt update
sudo apt install iptables fail2ban

If you use RPM-based systems, the command is:

sudo yum install iptables-services fail2ban

Step 2: Creating a Simple IP Blocker Script

Next, create a bash script named block-ip.sh to manually block IP addresses with iptables:

sudo nano /usr/local/bin/block-ip.sh

Paste the following code into the script:

#!/bin/bash

if [ -z "$1" ]; then
  echo "Usage: $0 "
  exit 1
fi

IP=$1

# Check if IP is already blocked
if iptables -L INPUT -v -n | grep -q "$IP"; then
  echo "IP $IP is already blocked."
else
  iptables -A INPUT -s $IP -j DROP
  echo "IP $IP has been blocked."
fi

Make the script executable:

sudo chmod +x /usr/local/bin/block-ip.sh

To test, block an IP address (e.g., 192.168.1.100):

sudo /usr/local/bin/block-ip.sh 192.168.1.100

Review current iptables rules to confirm:

sudo iptables -L -n -v

Step 3: Setting Up Fail2Ban with iptables

Now, configure Fail2Ban to automatically block suspicious IPs:

sudo nano /etc/fail2ban/jail.local

Add the following configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

For CentOS or RHEL, adjust the logpath:

/var/log/secure

Restart Fail2Ban to apply changes:

sudo systemctl restart fail2ban

Check the status of your jail:

sudo fail2ban-client status sshd

Step 4: Combine Your Script with Fail2Ban (Optional)

If you prefer Fail2Ban to utilize your custom script for banning, follow these steps:

sudo nano /etc/fail2ban/action.d/customblock.conf

Add the following configuration:

[Definition]
actionban = /usr/local/bin/block-ip.sh 
actionunban = iptables -D INPUT -s  -j DROP

Update your jail configuration to use the custom action:

action = customblock

Restart Fail2Ban again:

sudo systemctl restart fail2ban

Saving iptables Rules

Remember that iptables rules are not persistent by default. To ensure your rules survive a reboot, save them:

sudo apt install iptables-persistent
sudo netfilter-persistent save

For CentOS, use:

sudo service iptables save

Conclusion

Your Linux server security can be greatly enhanced with the combined power of iptables and Fail2Ban. By implementing a custom IP blocker script, you gain additional control over your server’s defenses against brute-force attacks and unwanted login attempts. Elevate your security measures and keep your systems safe!

FAQ

Question 1: What makes iptables useful for server protection?

Answer 1: iptables serves as a command-line firewall, efficiently filtering network traffic based on predefined rules, making it a vital component of server defense.

Question 2: Can I customize the Fail2Ban responses?

Answer 2: Yes! Fail2Ban allows customization of ban durations and the maximum number of failed login attempts, helping tailor your server’s security based on individual needs.

Question 3: What if I need to unban a specific IP?

Answer 3: You can easily unban an IP using the command: sudo fail2ban-client set sshd unbanip .

Read the original article