This brief tutorial shows students and new users how to install and configure Fail2ban on Ubuntu 20.04 | 18.04.
For webmasters or anyone managing Linux server that is accessible over the Internet, the risks of the server being compromised is high, so implementing best security practices to help mitigate these attacks should be a priority.
There are many tools to help protect Linux server. One such tool is known as Fail2ban.
Fail2ban is a tool that help protect Linux servers from brute force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan the server’s logs for malicious attempts and bans offending IPs for a specific length of time using the system’s firewall.
Banned IPs are only removed from the list when there are no new attempts and only after the period of time banned for. Then the offending IPs should be able to connect again.
To get started with installing and configuring Fail2ban, follow the steps below:
Install Fail2ban
Fail2ban packages are automatically included in Ubuntu repositories. To install it, simply run the commands below.
sudo apt update sudo apt install fail2ban
Once the installation is complete, the service should automatically start up and ready to be configured.
To check if the service is up and operational, run the commands below:
sudo systemctl status fail2ban
You should see similar lines as below:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enab>
Active: active (running) since Thu 2021-03-11 15:26:00 CST; 23s ago
Docs: man:fail2ban(1)
Main PID: 2982 (f2b/server)
Tasks: 5 (limit: 4654)
Memory: 13.6M
CGroup: /system.slice/fail2ban.service
└─2982 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Mar 11 15:26:00 ubuntu2004 systemd[1]: Starting Fail2Ban Service.
Mar 11 15:26:00 ubuntu2004 systemd[1]: Started Fail2Ban Service.
Configure Fail2ban
When you install Fail2ban, it is installed with these two default configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.
To configure Fail2ban, you should not make your changes directly to the configuration files above as they may be overwritten when the packages updated.
Fail2ban service reads the configuration files in the following order.
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/.local
Configuration files that end in .local override files that end with .conf.
So make you changes in the .local file as much as possible.
Most users out there should simply copy the jail.conf to create a jail.local file, then modify the .local file to implement their changes. You may not need all the settings coped over from the jail.conf file, only changes you want to overwrite in the jail.conf file.
Advanced users can simply create each jail.local file and begin editing changes they want to implement.
For simplicity sake, we’re going to copy the jail.conf file to create the jail.local file. To do that run the commands below:
sudo cp /etc/fail2ban/jail.{conf,local}
Then start editing the configuration file just created by running the commands below:
sudo nano /etc/fail2ban/jail.local
Your very first setting should be whitelisting known IP addresses. These are address that you maybe connecting from and don’t want to get ban.
Edit the line to ignore these IPs:
ignoreip = 127.0.0.1/8 ::1 10.16.34.67 172.16.1.0/24
More settings to control how threats are restricted can be configured with these options: bantime, findtime and maxretry.
The default bantime value is 10 mins. If you want to change how long an IP should be banned for, change the value in seconds.
#"bantime" is the number of seconds that a host is banned.
bantime = 10m
Findtime is the duration between the number of failures before a ban is set. The default value is 5 times.
To change that number, set the value for the line below:
#A host is banned if it has generated "maxretry" during the last "findtime"
#seconds.
findtime = 10m
Maxretry is the number of failures before an IP is banned. The default is 5. To change that number, modify the line below:
#"maxretry" is the number of failures before a host get banned.
maxretry = 5
Jails Services
Fail2ban uses the concept of Jails. A service is jailed when a predefined condition is met after analyzing the service logs for matching patterns. When the condition is met, the corresponding actions defined in the configuration file are executed.
By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met.
For example, here’s SSH configuration with the settings discussed above to limit threats and ban bad actors who want to brute force your SSH server.
# SSH servers [sshd] enable = true bantime = 10m findtime = 10min maxretry = 5 port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
You can replicate to other services in the list and add more that you want to protect.
When you’re done adding your configuration settings, run the commands below to restart Fail2ban service.
sudo systemctl restart fail2ban
Fail2ban also comes with client tool that can be used to interact with the service.
Using its client tool, you can check Fail2ban jail status for a particular service. For example, to check for SSH jail status, run the commands below:
sudo fail2ban-client status sshd
To unbind a particular IP address, run the commands below:
sudo fail2ban-client set sshd unbanip 192.168.1.1
To manually ban an IP address, run the commands below:
sudo fail2ban-client set sshd banip 192.168.1.1
That should do it!
Conclusion:
This post showed you how to install, configure and use Fail2ban to protect Linux servers that are accessible from the Internet.
If you find any error above, please use the form below to report.