Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!

Securing Ubuntu 20.04 LTS Sever with Ferm Firewall and Fail2Ban

profile picture
Author
Maximilian Schumacher
Published
2021-12-01
Time to read
6 minutes reading time

About the author- Linux System Administrator based in Germany

Introduction

In this tutorial you will learn how to secure your server by installing and setting up a firewall using Ferm and Fail2Ban. Ferm is short and means "for easy rule making".

Ferm uses a script like configuration file style which enables you to easily write and manage firewall rules for iptables. For more information on the project and how to write rules please visit the Ferm website.

Fail2Ban is a service which can automatically block connections from IPs on your firewall which are brute-forcing your services. In this tutorial you will learn how to secure your OpenSSH server with Fail2Ban. For more information on Fail2Ban please visit the Fail2Ban website.

Prerequisites

You will need a server running Ubuntu. In this tutorial I will be using Ubuntu 20.04 LTS.

I assume that you are accessing your server via SSH over its default port (22). Within this tutorial you will need to make changes to text files on your system. If you are not familiar with using a text editor on the command line I would recommend you to start with Nano.

To open a file in Nano editor, just type nano <filename>

NOTE: All commands below require that you have root privileges. If you're not logged in as root user please use sudo in front of the commands or switch to root user before starting with sudo su -

Step 1 - Install And Configure Ferm Firewall

In this step we install Ferm and set-up the first configuration which will allow us to access the server over SSH using port 22.

Step 1.1 - Install ferm package

apt install ferm

During the installation Ferm will ask you if you wan't Ferm to be enabled on startup. You can answer this question with yes.

NOTE: This step will automatically start ferm and may block all connections except SSH on port 22

Step 1.2 - Adjust Ferm configuration

Next we are going to setup a basic firewall. Therefore open the main Ferm configuration file with your favorite editor and replace the whole file with the following lines:

nano /etc/ferm/ferm.conf
# basic ferm firewall
domain (ip ip6) {
  table filter {

    # setup INPUT chain
    # this section handles rules for all kinds of incoming IP packages/connections
    # if you want to also allow other ports/services in future
    # you can insert further rules in this section under the last comment below 
    # (see comment "ADDITIONAL INPUT RULES HERE")
    chain INPUT {
      policy DROP;

      # connection tracking
      mod state state INVALID DROP;
      mod state state (ESTABLISHED RELATED) ACCEPT;

      # allow local packet
      interface lo ACCEPT;

      # respond to ping
      proto icmp ACCEPT;

      # allow SSH connections
      proto tcp dport ssh ACCEPT;

      # ADDITIONAL INPUT RULES HERE
      
    }
    
    # setup OUTPUT chain
    chain OUTPUT {
      policy ACCEPT;
    }
    
    # setup FORWARD chain
    chain FORWARD {
      policy DROP;
    }
  }
}

@include ferm.d/;

This configuration will allow any incoming packages for SSH (port 22). Also it will allow incoming packages from established connections. Ping and local traffic is also allowed.

NOTE: This is a stateful firewall. It will use information based on connection tracking tables. Connections once marked as established will be accepted on input until the connection expires or gets closed.

Step 1.3 - Reload firewall

Now after we setup the firewall configuration properly we can load it by restarting the Ferm service.

systemctl restart ferm

Step 1.4 - Updating the firewall (Optional for future use)

If you need to alter your firewall configuration in future, just update the configuration file. Then use the following command to check if there are any syntax errors in your configuration before restarting the firewall:

ferm --noexec /etc/ferm/ferm.conf

If this command does not show any error messages, then your configuration has no syntax errors. You can now safely reload the firewall with the command above (Step 2.4).

Pro-Tip: Reloading the firewall with the following command: ferm --interactive /etc/ferm/ferm.conf will apply the firewall rules and than ask you for confirmation. If you do not confirm (e.g. if you locked out yourself with the new firewall), Ferm will automatically rollback to the old ruleset after 30 seconds.

Step 2 - Install and Configure Fail2Ban

In this step we will install and setup Fail2Ban and configure it to monitor failed SSH authentications and block IP addresses if there were to many failed login attempts within a certain period of time.

apt install fail2ban

After this, Fail2Ban is installed and by default it automatically watches the SSH service for failed authentications/logins. For more information on how to configure Fail2Ban, please refer the Fail2Ban documentation. Also this ubuntu users article on Fail2Ban may be interesting for you.

Pro-Tip: Use the command fail2ban-client in order to query information about blocked IPs and also unban/ban IPs. Here are a few examples of how to use the client: fail2ban-client status sshd fail2ban-client set sshd banip <IP-Address> fail2ban-client set sshd unbanip <IP-Address>

Step 3 - Adjust Ferm configuration to always ensure Fail2Ban rules

As a last step we add a configuration to Ferm which wil ensure that all Fail2Ban rules are loaded, even if you restart or stop Ferm. This is required because Ferm always flushes all rules on restart and stop before adding it's own rules.

Open the file /etc/ferm/ferm.conf and add the following lines on TOP of the file:

nano /etc/ferm/ferm.conf
@hook flush "systemctl restart fail2ban.service";

Now save the file. When you restart or stop Ferm in future it will automatically restart Fail2Ban and cause it to reload it's rules into iptables.

Conclusion

Congratulations! You just installed and configured a Ferm managed firewall and also Fail2Ban service which will now automatically block IP addresses which are trying to brute-force your servers SSH service. For more information on Ferm and Fail2Ban please refer to the articles/links mentioned above.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Report Issue
Try Hetzner Cloud

Get 20€ free credit!

Valid until: 31 December 2024 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more