Wiki

User Tools

Site Tools

Trace: secure_the_server
systems:media_server:secure_the_server

This is an old revision of the document!

Table of Contents

Systems - Media Server - Secure the Server

Various security enhancements.

Install fail2ban

Update the system:

sudo apt update && sudo apt upgrade

Install Fail2Ban

sudo apt install fail2ban

Configure Fail2Ban

The default configuration is defined in /etc/fail2ban/jail.conf.

WARNING: The default values ​​may change with package updates, so if you want to change the settings, create a jail.local file and modify it.

Here are salient lines from the default configuration:

/etc/fail2ban/jail.conf
# line 87 : ignore your own local IP
#ignoreself = true
 
# line 92 : possible to add ignored networks
#ignoreip = 127.0.0.1/8 ::1
 
# line 101 : number of seconds that a host is banned
# - 1m ⇒ 1 minutes
# - 1h ⇒ 1 houer
# - 1d ⇒ 1 day
# - 1mo ⇒ 1 month
# - 1y ⇒ 1 year
bantime  = 10m
 
# line 105 : A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 10m
 
# line 108 : "maxretry" is the number of failures before a host get banned
maxretry = 5
 
# line 178 : destination email address if enabling email notification
destemail = root@localhost
 
# line 181 : sender address if enabling email notification
sender = root@<fq-hostname>
 
# line 263 : default action
# - %(action_)s ⇒ ban only
# - %(action_mw)s ⇒ band and email notification (includes Whois info)
# - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs)
action = %(action_)s

Override the default values

As root, create a /etc/fail2ban/jail.local file.

/etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 1d
findtime  = 5m
maxretry = 5
destemail = root@localhost
sender = root@mediaserver

Restart Fail2Ban

sudo systemctl restart fail2ban

Verify Fail2Ban

sudo systemctl status fail2ban

returns: 

fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-05-30 19:38:01 UTC; 6s ago
       Docs: man:fail2ban(1)
   Main PID: 3108 (fail2ban-server)
      Tasks: 5 (limit: 154383)
     Memory: 18.8M (peak: 19.8M)
        CPU: 110ms
     CGroup: /system.slice/fail2ban.service
             └─3108 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

May 30 19:38:01 mediaserver systemd[1]: Started fail2ban.service - Fail2Ban Service.
May 30 19:38:02 mediaserver fail2ban-server[3108]: 2025-05-30 19:38:02,022 fail2ban.configreader   [3108]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
May 30 19:38:02 mediaserver fail2ban-server[3108]: Server ready
systems/media_server/secure_the_server.1748633925.txt.gz · Last modified: 2025/05/30 19:38 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki