How to Setup Fail2ban on Ubuntu

This brief tutorial shows students and new users how to install and configure Fail2ban on Ubuntu 20.04 | 18.04.

For webmasters or anyone managing Linux server that is accessible over the Internet, the risks of the server being compromised is high, so implementing best security practices to help mitigate these attacks should be a priority.

There are many tools to help protect Linux server. One such tool is known as Fail2ban.

Fail2ban is a tool that help protect Linux servers from brute force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan the server’s logs for malicious attempts and bans offending IPs for a specific length of time using the system’s firewall.

Banned IPs are only removed from the list when there are no new attempts and only after the period of time banned for. Then the offending IPs should be able to connect again.

To get started with installing and configuring Fail2ban, follow the steps below:

Install Fail2ban

Fail2ban packages are automatically included in Ubuntu repositories. To install it, simply run the commands below.

sudo apt update
sudo apt install fail2ban

Once the installation is complete, the service should automatically start up and ready to be configured.

To check if the service is up and operational, run the commands below:

sudo systemctl status fail2ban

You should see similar lines as below:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enab>
     Active: active (running) since Thu 2021-03-11 15:26:00 CST; 23s ago
       Docs: man:fail2ban(1)
   Main PID: 2982 (f2b/server)
      Tasks: 5 (limit: 4654)
     Memory: 13.6M
     CGroup: /system.slice/fail2ban.service
             └─2982 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Mar 11 15:26:00 ubuntu2004 systemd[1]: Starting Fail2Ban Service...
Mar 11 15:26:00 ubuntu2004 systemd[1]: Started Fail2Ban Service.

Configure Fail2ban

When you install Fail2ban, it is installed with these two default configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

To configure Fail2ban, you should not make your changes directly to the configuration files above as they may be overwritten when the packages updated.

Fail2ban service reads the configuration files in the following order.

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/.local

Configuration files that end in .local override files that end with .conf.

So make you changes in the .local file as much as possible.

Most users out there should simply copy the jail.conf to create a jail.local file, then modify the .local file to implement their changes. You may not need all the settings coped over from the jail.conf file, only changes you want to overwrite in the jail.conf file.

Advanced users can simply create each jail.local file and begin editing changes they want to implement.

For simplicity sake, we’re going to copy the jail.conf file to create the jail.local file. To do that run the commands below:

sudo cp /etc/fail2ban/jail.{conf,local}

Then start editing the configuration file just created by running the commands below:

sudo nano /etc/fail2ban/jail.local

Your very first setting should be whitelisting known IP addresses. These are address that you maybe connecting from and don’t want to get ban.

Edit the line to ignore these IPs:

ignoreip = 127.0.0.1/8 ::1 10.16.34.67 172.16.1.0/24

More settings to control how threats are restricted can be configured with these options: bantime, findtime and maxretry.

The default bantime value is 10 mins. If you want to change how long an IP should be banned for, change the value in seconds.

#"bantime" is the number of seconds that a host is banned.
 bantime  = 10m

Findtime is the duration between the number of failures before a ban is set. The default value is 5 times.

To change that number, set the value for the line below:

#A host is banned if it has generated "maxretry" during the last "findtime"
#seconds.
 findtime  = 10m

Maxretry is the number of failures before an IP is banned. The default is 5. To change that number, modify the line below:

#"maxretry" is the number of failures before a host get banned.
 maxretry = 5

Jails Services

Fail2ban uses the concept of Jails. A service is jailed when a predefined condition is met after analyzing the service logs for matching patterns. When the condition is met, the corresponding actions defined in the configuration file are executed.

By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met.

For example, here’s SSH configuration with the settings discussed above to limit threats and ban bad actors who want to brute force your SSH server.

# SSH servers
[sshd]
enable  = true
bantime = 10m
findtime = 10min
maxretry = 5
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

You can replicate to other services in the list and add more that you want to protect.

When you’re done adding your configuration settings, run the commands below to restart Fail2ban service.

sudo systemctl restart fail2ban

Fail2ban also comes with client tool that can be used to interact with the service.

Using its client tool, you can check Fail2ban jail status for a particular service. For example, to check for SSH jail status, run the commands below:

sudo fail2ban-client status sshd

To unbind a particular IP address, run the commands below:

sudo fail2ban-client set sshd unbanip 192.168.1.1

To manually ban an IP address, run the commands below:

sudo fail2ban-client set sshd banip 192.168.1.1

That should do it!

Conclusion:

This post showed you how to install, configure and use Fail2ban to protect Linux servers that are accessible from the Internet.

If you find any error above, please use the form below to report.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.