Protect public Linux servers with fail2ban

Do you have public facing Linux servers?

Of course you do. Who doesn’t!?!? Or why would you be here if you wouldn’t?

I’m not a big fan of security through obscurity, so I need, or we all need, a way to protect our known public ports.

I know, iptables or any of it’s derivatives are always there, but, what about that one port that must stay opened and accessible? After all, if you didn’t need a public facing service, you wouldn’t need to to make it public, would you?

fail2ban to the rescue

fail2ban is a very useful utility that creates rules on your firewall to block failed authentication attempts. It can be used with any service that generates log files. As an example I will use SSH.

How To


Installation of fail2ban is as easy as it gets. Just make sure you have your repositories up to date and to a yum install fail2ban or apt-get install fail2ban.


First step to configure fail2ban is to copy it’s config file to a .local file.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

fail2ban configuration should be done only on the new .local file

In the jail.local file, let’s search for the area [ssh] or [ssh-iptables] depending if you use a Debian base or red hat base distro.

Make sure that it is enabled and the log file is pointing to the right location.

We can also set the ban duration and the number of tries before banning. I like to ban for 1 hour (value in seconds) and after 5 retries.

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
banaction = iptables-allports ; ban retrys on any port
bantime = 3600 ; ip address is banned for 10 minutes
maxretry = 5 ; allow the ip address retry a max of 10 times

After the configuration done, let’s start the service and see it in action.

Seeing it all come together

If you have anyone testing your defences you should see fail2ban in action very fast. Just to a word count of the number of lines in auth.log with failed attempts like so:
less /var/log/auth.log | grep ‘sshd.*Failed’ | wc -l
The follow up with a listing of your iptables rules with iptables -L.

Wrap up

Very useful tool this fail2ban. There are many more configuration possible, for other services, for e-mail notifications, for different actions, etc.

This is just a very basic starting point.
Now go explore and stay safe.

Duplicate folder tree in Linux

Quick tip.

This can be very handy when you need to frequently create a folder structure without files (Ex. Project folders or multiple versions of a development area)

Just run:

find <directory> -type d -maxdepth n -exec mkdir /where/you/want/{} ;

This is a quick way of doing it and can even be automated.

Get ID from user and group in Linux

Hi everyone,

Sometimes it handy to deal with id’s instead of actual names. It makes your commands shorter.
So if you ever need to get the id’s of one user or a group in Linux, here’s the commands to run:

– id -u USERNAME – will give you the USERNAME ID;
– id -a USERNAME – will give, not only the ID of the user, but also all the groups the user is part of;
– id -g USERNAME – will give the ID of the user’s primary group;
– id -G USERNAME – will give you the ID of all groups the user is a member of;

If you just want to know the id of a group, the just run:

cat /etc/group | grep GROUPNAME

The third item of the colon(:) separated string is the group ID.

And there you have it.
Now you can find out every user and group ID’s.


Unmount busy drives

For anyone that has CIFS Shares mounted in a Linux machine, sooner or later you will get the an error saying that you cannot unmount a drive because it is busy.
So how do we find out what process is keeping that drive busy?
Simple. Just type on the console or X terminal:

lsof +D /path/to/mountpoint

This command returns the command and process ID of any tasks currently accessing the mount point, and you kill the process.

Mounting CIFS Share with specific user and group in Linux

Working with Linux in a Microsoft environment is not always easy.
Even a simple share can be tricky. Luckily, there’s always a solution with Linux.

In the scenario where a Windows Share is needed, running “mount” with CIFS is no surprise, however, if the Linux mount point has to be made available for a specific user, then, it’s necessary to pass the option for the local user and group of the mount point being created.

Ex.: (as root or sudo) mount -t cifs -v //IP_or_DNS_name/Share_Name /mnt/Local_Folder -o user=ShareAuthUser,pass=ShareAuthUserPW,domain=ShareAuthUserDomainOrLocalMaShareMachine,uid=LinuxUID,gid=LinuxGID

Using the above command will mount under /mnt/Local_Folder the CIFS share, but will do it making the Linux user an group owner of that mount point.

This is very usefull when you need to backup Linux files or databases (that only a service user can access) but the backup server is Windows based. So one makes a backup to a folder, that happens to be a CIFS share and the Windows machine can backup that folder.

Hope it helps.

Linux quick tip: List of recent commands

Hello everyone,


Here’s a quick tip for the newcomers on the wonders of the Linux shell.

Weather you know you’ve typed a command and forgot what or o simple need a list of all that was executed (very useful to back trace your steps!!), there’s a command that helps you.

The command is “history” and it shows a list of recent commands.

You can also combine it with grep or awk to search for a specific command.


For example:

history | grep fdis* where it will search for all commands started with fdis.



Linux – What distro am I using?

Let’s say you’ve been given access to a Linux machine (SSH or any other plain terminal), but you have no idea of version or distro you are using.

Even though Linux is mostly the same, there are some diferences. So, to find out, here’s a couple of commands that can be usefull.

head -n1 /etc/issue 
uname -a
Note that the first command can be deceiving. /etc/issue is a text file that can be altered.

Find out your Linux box CPU and RAM specs

If you use Linux, and, for whatever reason, you don’t “remember” the CPU model or clock speed, or you need to buy more RAM but you don’t know what type. Here’s a couple of commands you can use to find that info.

CPU: less /proc/cpuinfo
RAM: sudo dmidecode –type memory | less

Who’s listening

When you want to find out what port is that service running on there’s a nice command to help you.

It’s called netstat and it’s available on Windows and Linux.

Here’s a couple of usage examples:

  • Find who’s connected to your port 25 (Usually SMTP Server).
  • Windows: netstat -ano | findstr :25 | findstr ESTABLISHED
  • Linux: netstat -ano | grep :25 | grep ESTABLISHED
  • Find what port’s are listening.
  • Windows: netstat -ano |  findstr LISTENING
  • Linux: netstat -ano | grep LISTENING

You can use multiple combinations of this command with regular expression filters to get what you need. This is a great tool to find what ports are being used and from where.


Mount NTFS partition in Ubuntu

This is a usefull tip for dual booters, or to use NTFS formatted external Hard Drives.

Here’s the steps:

1. Create a folder

# mkdir /media/disk

2. Attribute full permissions to the folder

# chmod a=rwx /media/disk

3. Edit fstab and add the following line

/dev/sda1    /media/disk    ntfs auto,rw,umask=000 1 0

After just reboot your box.


Note: the device might not be /dev/sda1. Use fdisk -l to find out your device.