- So far our wonderful notification service is available only on a local IP address. What if we wanted to expose it to the internet to reach it from a phone or computer when outside the LAN?
- In that case, we better perform some security hardening before that. Let’s start with installing fail2ban to cover for repeated failed logins.
# Download fail2ban apt install fail2ban -y # It's best practice to copy the default jail.conf to jail.local. This way, your custom configurations won't be overwritten during Fail2ban updates. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Open the jail.local file for editing: nano /etc/fail2ban/jail.local [DEFAULT] # "bantime" is the duration for which an IP (or host) is banned. bantime = 1h # "findtime" is the time window (in seconds) during which "maxretry" # failures must occur for a ban to be activated. findtime = 10m # "maxretry" is the number of failures before a host is banned. maxretry = 5 # "ignoreip" can be a list of IPs, CIDR masks or DNS hosts. Fail2ban will not # ban any host matching the IP (or DNS host) in this list. # Put your HAProxy internal IP here if it's separate. ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 10.0.0.0/8