Protecting servers with fail2ban – analyze services to protect

After setting up fail2ban its time to check which ports are open. Potentially each open port should be protected using fail2ban.

The easiest way to check for open ports on a linux system is using netstat.  Execute the following command (as root)

netstat -tulpen
-t: include TCP protocol
-u: include UDP protocol
-l: show all listening only
-p: show programs 
-e: gives information of the user running the process
-n: numeric, do not execute reverse name lookup

The result will look like this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0    *               LISTEN      0          6891122     25322/sshd      
tcp        0      0*               LISTEN      106        6877198     23938/postgres

If local address starts with the process is listening to localhost only, there is no need to protect this service using fail2ban. If the address is listed as the service is listening on all interface – so also on the public IP address. This is a potential candidate to be monitored. Some services might also be configured to listen to one public IP address which is stated then in the local address column. This is a candidate to be protected also.