Please enable JavaScript to view this site.
Hackers are always pounding away at the door of your website attempting to break in. A weak password here. Misconfigured code there. An unpatched system, whatever they can find, they will use to force their way in. They may want your site to blast out spam email or to mine crypto currency.
If you are the Linux administrator of your site, there are a couple simple shields you can raise to protect the perimeter. The first is the UFW or Uncomplicated Firewall. Digital Ocean has a good tutorial showing how to set one up.
The best security approach is
The second shield is Fail2Ban. Fail2Ban blocks malicious or troublesome IP addresses. The Linux Handbook has a good introductory tutorial.
Fail2Ban has jails to which it sends the offending IPs. The jails run off of configuration files. I use two Fail2Ban jails; the default SSHD jail and a simple one that I wrote. These two jails will block a lot of troublemakers.
In Debian or Ubuntu, you will need to set up the following file: /etc/fail2ban/jail.local. If the file doesn't already exist, copy all the contents of your jail.conf file to jail.local. You create the new file with the following command:
You will edit the jail.local file but leave the original jail.conf as is.
The first thing you will need to do next is tell the system to ignore your IP address so you don't lock yourself out. Your /etc/fail2ban/jail.local file will look like this:
Insert your IP address in place of the 11.11.111.111.
I recommend setting up the SSHD jail with these parameters in jail.local:
These parameters will lock out the hacker bot after one bad SSH login attempt. (Bantime of 1d or one day.) Since you have placed your IP on the ignore list, it won't affect you if you mistype your password.
After making the changes to jail.local, reload Fail2Ban to make the changes effective:
You can check the status of the SSHD jail by typing the following at the command line:
Here is the type of activity you may see:
I then configured my own jail, which I named
And then enter the following text - Note: the
# Fail2Ban simple filter to block hackers/bots
[INCLUDES]
before = apache-common.conf
[Definition]
prefregex = ^%(_apache_error_client)s ?<F-CONTENT>.+</F-CONTENT>$
failregex =
(?i)admin
(?i)adminer
(?i)Cannot serve directory
(?i)info.php
(?i)install.php
(?i)installer.php
(?i)invalid URI path
(?i)login
(?i)phpinfo
(?i)provided via SNI
(?i)rejecting client #will block SSL Labs testing
ignoreregex =
datepattern = {^LN-BEG}
I then set up the jail in the jail.local file with these parameters:
Once again, reload Fail2Ban to make the changes effective:
One bad attempt to mess with my site, one attempt to find a nonexistent admin or login page, and they are blocked permanently. (Bantime of -1.) Here is the type of activity you will see. Just type the following command:
BTW, you can run the following code at the command line to determine whether your regular expressions are written correctly:
See Fail2Ban follow-up regarding access log filtering to prevent abuse of resources.
I've also noticed since upgrading to http/2 and the Apache event MPM, a generic error called
At times, the hacker jail grows too large, and I unban all IPs with the following command:
If you are the Linux administrator of your site, there are a couple simple shields you can raise to protect the perimeter. The first is the UFW or Uncomplicated Firewall. Digital Ocean has a good tutorial showing how to set one up.
The best security approach is
deny all. Deny access to all ports and then enable ones that you need such as ports 80 and 443 and any others you might need for services such as SSH or email.
The second shield is Fail2Ban. Fail2Ban blocks malicious or troublesome IP addresses. The Linux Handbook has a good introductory tutorial.
Fail2Ban has jails to which it sends the offending IPs. The jails run off of configuration files. I use two Fail2Ban jails; the default SSHD jail and a simple one that I wrote. These two jails will block a lot of troublemakers.
In Debian or Ubuntu, you will need to set up the following file: /etc/fail2ban/jail.local. If the file doesn't already exist, copy all the contents of your jail.conf file to jail.local. You create the new file with the following command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You will edit the jail.local file but leave the original jail.conf as is.
The first thing you will need to do next is tell the system to ignore your IP address so you don't lock yourself out. Your /etc/fail2ban/jail.local file will look like this:
Insert your IP address in place of the 11.11.111.111.
I recommend setting up the SSHD jail with these parameters in jail.local:
These parameters will lock out the hacker bot after one bad SSH login attempt. (Bantime of 1d or one day.) Since you have placed your IP on the ignore list, it won't affect you if you mistype your password.
After making the changes to jail.local, reload Fail2Ban to make the changes effective:
sudo fail2ban-client reload
You can check the status of the SSHD jail by typing the following at the command line:
sudo fail2ban-client status sshd
Here is the type of activity you may see:
I then configured my own jail, which I named
hacker. Type in the following at the command line:
sudo nano /etc/fail2ban/filter.d/hacker.conf
And then enter the following text - Note: the
(?i)before each line is there to make the regex expression case insensitive:
I then set up the jail in the jail.local file with these parameters:
Once again, reload Fail2Ban to make the changes effective:
sudo fail2ban-client reload
One bad attempt to mess with my site, one attempt to find a nonexistent admin or login page, and they are blocked permanently. (Bantime of -1.) Here is the type of activity you will see. Just type the following command:
sudo fail2ban-client status hacker
BTW, you can run the following code at the command line to determine whether your regular expressions are written correctly:
sudo fail2ban-regex '/var/log/apache2/error.log' /etc/fail2ban/filter.d/hacker.conf
See Fail2Ban follow-up regarding access log filtering to prevent abuse of resources.
I've also noticed since upgrading to http/2 and the Apache event MPM, a generic error called
Primary script unknown. I added this phrase to hacker.conf for a while, but found that it was not only banning hacker bots, it was banning users for simple 404
page not founderrors.
At times, the hacker jail grows too large, and I unban all IPs with the following command:
sudo fail2ban-client unban --all
* posted by Robert on Sun, Jul 03, 2022
Reply 1:
Fail2ban currently does not work in Ubuntu 24.04. The new version of Ubuntu upgrades to Python 3.12,
which is missing the
There are two fixes available. The first is easier:
Fix 1: Install the following:
wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
sudo dpkg -i fail2ban_1.1.0-1_all.deb
Fix 2: Follow the steps below:
sudo mkdir /usr/lib/python3/dist-packages/fail2ban/compat
sudo apt install python3-setuptools
sudo fail2ban-client start
asynchatmodule. Fail2ban cannot function without this module.
There are two fixes available. The first is easier:
Fix 1: Install the following:
wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
sudo dpkg -i fail2ban_1.1.0-1_all.deb
Fix 2: Follow the steps below:
sudo mkdir /usr/lib/python3/dist-packages/fail2ban/compat
sudo wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asynchat.py
https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asynchat.py
sudo wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asyncore.py
https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asyncore.py
sudo wget -O /usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py
https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/server/asyncserver.py
sudo apt install python3-setuptools
sudo fail2ban-client start
* posted by Robert on Fri, May 10, 2024
Reply 2:
Nftables succeeds iptables on Linux systems, and is now the default firewall.
The Art of the Web explains how to bind Fail2ban to nftables.
Here are the basic steps in brief:
Call up the service file to make edits:
Replace the Unit and Install sections of the page with the following text (but leave the existing Service section as is):
[Unit]
Requires=nftables.service
PartOf=nftables.service
[Install] WantedBy=multi-user.target nftables.service
Enter the following commands:
sudo systemctl enable nftables.service
sudo systemctl enable fail2ban.service
sudo systemctl daemon-reload
If you use IPsets, you will need to translate your ipsets from iptables to nftables.
See Moving_from_ipset_to_nftables for an explanation of the following steps:
You can then list the nftables as follows:
To view the rules of an individual table such as
The Art of the Web explains how to bind Fail2ban to nftables.
Here are the basic steps in brief:
Call up the service file to make edits:
sudo systemctl edit --full fail2ban.service
Replace the Unit and Install sections of the page with the following text (but leave the existing Service section as is):
[Unit]
Requires=nftables.service
PartOf=nftables.service
[Install] WantedBy=multi-user.target nftables.service
Enter the following commands:
sudo systemctl enable nftables.service
sudo systemctl enable fail2ban.service
sudo systemctl daemon-reload
If you use IPsets, you will need to translate your ipsets from iptables to nftables.
See Moving_from_ipset_to_nftables for an explanation of the following steps:
sudo ipset save > sets.ipset
sudo ipset-translate restore < sets.ipset
sudo iptables-save
sudo ipset-translate restore < sets.ipset
sudo iptables-save
You can then list the nftables as follows:
sudo nft list tables
To view the rules of an individual table such as
table ip filter, enter the following command:
sudo nft list table ip filter
* posted by Robert on Mon, May 13, 2024
