How to Install fail2ban with CSF/LFD in cPanel, Part 2
the Frequently Asked Questions…
- Can I install fail2ban with the ConfigServer firewall? (CSF/LFD)
- How do I install fail2ban on cPanel servers?
- How do I yum install fail2ban in CentOS 5 or CentOS 6?
- How do I configure fail2ban for a VPS or dedicated server?
and The Digital FAQ Answers…
Configuring fail2ban to work with CSF/LFD is just as easy as installing it. Again, it works on cPanel, Virtualmin and DirectAdmin servers, where the CSF/LFD plugin (GUI) is installed. All it takes is a little work in SSH (putty), and you’re done.
Notes for Using fail2ban on a cPanel Server
One thing to keep in mind is that fail2ban is usually not installed on a stock cPanel server, and the instructions and the default jail config file reflect that. As such, we’ll be ignoring the instructions and default settings that came with the fail2ban software.
Although fail2ban suggests using a jail.local file because it can overwrite the jail.conf file when updated, I suggest editing the jail.conf anyway. Most of the config file should be purged as a safety precaution — so you don’t enable them by accident, thereby not conflicting with CSF.
Additionally, don’t update fail2ban unless it’s absolutely necessary. After all, the RPMforge repository has been disabled, so there’s nothing to install or update. No repository, no updates! You’d have to re-enable it to run updates.
For a backup of the config file, I would just create jail.backup in the fail2ban folder.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.backup
Configure fail2ban with CSF/LFD
To configure fail2ban, edit the jail.conf file:
By default, fail2ban enables ssh protection (sshd). It’s one of the “jails” as shown in the sample file found below. However, this is not desirable, as CSF/LFD is already protecting ssh. It should be disabled or even removed. fail2ban should only be used for services that CSF/LFD is not watching, such as WordPress or Exim.
That’s the key to using both services together — don’t let them overlap.
Furthermore, the fail2ban jail.conf found in the RPMforge repository is NOT correct. fail2ban will not start or run correctly using this file. It needs to be edited and fixed. Below you’ll find an abridged sample fail2ban jail.conf that is confirmed as working:
# Fail2Ban jail specifications file
ignoreip = 127.0.0.1/8
bantime = 21600
findtime = 86400
maxretry = 10
backend = auto
usedns = warn
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http
maxretry = 10
Note: An extended and annotated version of the jail.conf configuration file is found in our forum.
Enable (true) or disable (false) watching services as needed, by editing the configuration file. Again, anything being watched by CSF/LFD should be disabled, or purged from the jail.conf entirely. More sample jails are found in the longer annotated file found in our forum.
In addition to editing the jail.conf file, the /etc/fail2ban/filter.d folder contains the configuration files (.conf files) needed for each filter. The jail.conf file only controls fail2ban itself. These filters are outside the scope of this installation guide, but need to be mentioned. By default, the folder contains a number of files for Apache, Courier, Webmin, etc. Others are not included, and will need to be added. Refer to those guides, either here at The Diital FAQ or elsewhere.
Customizing fail2ban to Block IPs
The default ban setting for fail2ban is too short. It’s easy for malicious users to bypass fail2ban by attempting logins at longer intervals. By default, fail2ban monitors for only 10 minutes, and bans for only 10 minutes. Quite a few script kiddies set the retries for 11 minutes because of it.
The two settings that matter are bantime and findtime.
- Bantime is, as the name suggests, how long a ban lasts.
- However, findtime is just as important. This is the window of time that fail2ban tracks failed login attempts. If it’s only set to 600 (10 minutes), then all a malicious user has to do is wait 11 minutes — and many do!
As far as I’m concerned, a fairly aggressive setting of 24 hours (86400) — combine with 10 login attempts allowed — seems fine. Ban time should be just as aggressive — a minimum of 6 hours (21600).
It’s not likely that I’ll forget the password to my own sites 10 times. But even if I do, the ignoreip can be set to my home, office, or VPS/dedicated server IPs.
After everything is set, it’s time to restart fail2ban, as well as make it run at startup.
chkconfig fail2ban on
service fail2ban restart
… and the server response should be:
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]
That’s it! Congratulations, it’s now installed.
Once fail2ban is installed and configured — complete with the filter configurations — it can be set to block brute force traffic to applications like WordPress, or to prevent spam to something like Exim. And when CSF/LFD is present, it simply has to not conflict, which is easy to do.
Now go block some junk traffic!
This guide was made possible due to the quality servers at EuroVPS and Veerotech. That’s where we frequently test panels, Windows/Linux OS, and various server software. They both have excellent support, and are highly recommended by the staff at The Digital FAQ. To us, support speed and quality is one of the most important factors of having a host. You’ll find our full list of suggested hosts in the forum.
- How to Install fail2ban with CSF/LFD in cPanel, Part 1 (Install)
- How to Install fail2ban with CSF/LFD in cPanel, Part 2 (Configure)
Copyright Notice: All guides, articles and editorials found on digitalFAQ.com are copyright by The Digital FAQ and/or the respective authors. Articles may not be copied, borrowed, full-quoted or reproduced in any manner, online or in print, which includes blogs and forums, without the written email consent of Site Staff (which may or may not be given, for free or fee). Know that digitalFAQ.com staff does routinely monitor online plagiarism, and we do send takedown notices to site admins and/or web hosts (DMCA et al legal actions) as is necessary. If you would like for others to read articles found on The Digital FAQ, simply link to our content. (Note: Printouts for personal use is specifically allowed.)