After setting up fail2ban its time to check which ports are open. Potentially each open port should be protected using fail2ban.
The easiest way to check for open ports on a linux system is using netstat. Execute the following command (as root)
-t: include TCP protocol -u: include UDP protocol -l: show all listening only -p: show programs -e: gives information of the user running the process -n: numeric, do not execute reverse name lookup
The result will look like this:
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 6891122 25322/sshd tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 106 6877198 23938/postgres
If local address starts with 127.0.0.1 the process is listening to localhost only, there is no need to protect this service using fail2ban. If the address is listed as 0.0.0.0 the service is listening on all interface – so also on the public IP address. This is a potential candidate to be monitored. Some services might also be configured to listen to one public IP address which is stated then in the local address column. This is a candidate to be protected also.