1

I'm looking to secure my server. Initially my first thought was to use iptables but then I also learnt about Fail2ban. I understand that Fail2ban is based on iptables, but it has the advantages of being able to ban IP's after a number of attempts.

Let's say I want to block FTP completely:

  1. Should I write a separate IPtable rule to block FTP, and use Fail2ban just for SSH
  2. Or instead simply put all rules, even the FTP blocking rule within the Fail2Ban config

Any help on this would be appreciated.

James

kasperd
  • 31,086
Jimmy
  • 279

4 Answers4

3

If you want to block FTP completely, the easiest and most secure way to do it is to simply disable FTP daemon. However, if you want to secure FTP from the Internet you should use fail2ban which extents IPtable functionality and enables you to block specific - suspicious IPs. If you intend to use FTP locally and block from the Internet than you should use IPtables.

vanbandit
  • 51
2

To answer your specific questions.

  • If you have no use for FTP then you shouldn't install any ftp daemons.
  • SFTP is part of sshd you can configure sshd to disable it
    • Comment out it's directives e.g. # Subsystem sftp /usr/lib/openssh/sftp-server in /etc/ssh/sshd_config
  • Use iptables policy to help you - make the POLICY DROP.
  • Fail2ban is only useful for blocking persistent 'offenders'.

To answer your more generic question Scott Pack wrote an excellent answer to Tips for Securing a LAMP Server which, even if your server isn't specifically LAMP (or similar) will have information that you will find useful. Scott also published this excellent blog post on iptables just today. You have a lot of reading to get through.

Community
  • 1
user9517
  • 117,122
1

Fail2Ban is aimed to ban IPs after a (configured) number of wrong tries to access to an opened service. So if you want to block FTP for outside networks you should use iptables. But if you want to completely block FTP, you can always stop the service itself.

kasperd
  • 31,086
Zied
  • 111
1

To block completely you want iptables, not fail2ban. Fail2ban is to block sites that trigger malicious detection only.

  • Put fail2ban on your services that you must have open to the internet (eg SSH in your question)
  • Put iptable blocks on any service you want active internally only and blocked otherwise (eg FTP in your question)
  • Also put iptable rules on services you use from specific IP addresses only

You can just change your default port for things like SSH which will block 99.999% of all scans and hack attempts. If your SSH is on a non default port then when you detect malicious activity you can assume it's actually serious.

Ian Macintosh
  • 965