Fail2ban Essentials

Hi Guys,

I’m new to Linux and have an Ubuntu 22.04 Linode via learnlinux.tv

I’m enjoying my learning journey.

I have only 2 things running on my Linode Apache (No Wordpress) and fail2ban.

I have setup jails with fail2ban for ssh and all Apache associated jails 10 in total, and all appears to be running well.

I apologise in advance, I know my question will seem naive , “but if you don’t know”, the answer is valuable.

I would be grateful to hear what jails apart from the ones Ive mention you would consider essential for me to enable in addition to the ones I’ve mention.

I’m no linux admin, but my thought process is, if those are all the services that are listening, then that is all you can secure. You can check what ports are listening with

ss -tulpn

This should list every port that your server is listening on. If you don’t know what it is, Google is usually pretty good for letting you know what the port is used for. But more importantly, if you don’t know what it is used for, you probably shouldn’t have it exposed to the public to begin with.

I would enable the firewall and only expose ports that you want exposed. It’s much safer to block all connections than to rely on fail2ban. If this is the path you choose, create the firewall rules first, before enabling it. You can lock out your ssh port and not be able to reconnect (ask me how I know).

1 Like

Hi thanks for your reply,
I watched Jays video on setting up a firewall and followed the instructions, so that’s done.

I ran ss -tulpn
I have included a screenshot of the result , I’ll now have to workout what it means and if there is something I need to do.

thanks for your help

The local address of 127.0.0.53 is a loopback address. It’s listening on port 53 for localhost DNS queries that might have been entered in your /etc/hosts file. Unless you want to set up your server as a DNS server, you can safely block port 53 without affecting your machine.

SSH is port 22. I’m not sure why there are 2 ssh instances listed. As far as I know it only uses the one port. Someone with more experience might know the reason for this?

http is port 80 and https is port 443. These are the ports that apache is listening on. These are where your web content is being served from. It looks like you have everything covered. I would only open port 22, 80, and 443 through your firewall. The fail2ban/jails should police those 3 ports.

As a side note, if anyone else knows… Is the port being listed as the service name a new thing in ubuntu 22.04? Most of my experience has come from ubuntu 20.04, and I’ve only seen the actual port numbers listed by ss.

1 Like

Thank you so much, for your explanation, you have put my mind at peace.

My firewall is set to allow port 22 , 80 and 443 only , at least I’ve done something right
I have 2 IP address listed for ssh in my firewall to be allowed ssh access for 2 different IP’s I use.

If you don’t mined me asking, I’m not sure what 4096 is, or wether its Okay to there?

Thanks again for your help

I honestly don’t know what that is. My 2 minute google search indicates that it may be related to data packet flow control. Maybe priority? It shouldn’t affect your security at all.

1 Like

Thank you very much for all your help…

Usually the process shows you what binary is occupying the port. If you don’t use the n option in ss (i.e. ss -tulp), you will get the names instead of the port numbers.

It’s under the Send quantity, so probably packets. Don’t mind it, that number will go up. What matters is the address it is bound on, the port and what peers are allowed to connect to it.

Look at the IP it is listening on. One is 0.0.0.0:22, the other one is [::]:22l. SSH is listening on both ipv4 and ipv6. So does http and https, but unlike SSH, it doesn’t split itself into 2 processes, it just does one process listening on all IPs on all interfaces on port 22.

To make anything technically a bit more secure, you could bind a specific IP address, instead of listening on everything. So instead of 0.0.0.0 or *, you would bind to, say, 100.100.200.52 on port 22 and the service itself will only listen on that IP address. If you have multiple IP addresses, it won’t listen to the other ones. That is usually how it’s done in the enterprise, you set a service on a private IP address, like SSH on a management IP, but not on the public facing IP address that anyone could potentially connect to if your firewall somehow malfunctions or is compromised.

2 Likes

I am so embarrassed. I should have recognized that. Thank you for the clarification.

1 Like

Thank you for the welcome advice, I will have to look how to do that and just use one IP address to use ssh…