How to Setup Fail2ban on Ubuntu Linux

|

|

This tutorial demonstrates how to install and configure Fail2ban on Ubuntu 20.04 and 18.04 to enhance Linux server security. Fail2ban protects servers from brute force and other automated attacks by scanning server logs for malicious activity and banning offending IPs via the system’s firewall. After installation, configuration involves creating a ‘.local’ file for specific adjustments,…

This brief tutorial shows students and new users how to install and configure Fail2ban on Ubuntu 20.04 | 18.04.

For web admins or anyone managing a Linux server accessible over the Internet, the risk of the server being compromised is high, so implementing best security practices to help mitigate these attacks should be a priority.

There are many tools to help protect Linux servers. One such tool is known as Fail2ban.

Fail2ban is a tool that helps protect Linux servers from brute force and other automated attacks by monitoring the service logs for malicious activity. It uses regular expressions to scan the server’s logs for malicious attempts and bans offending IPs using the system’s firewall for a specific time.

Banned IPs are only removed from the list when there are no new attempts and only after the period is banned. Then, the offending IPs should be able to connect again.

To get started with installing and configuring Fail2ban, follow the steps below:

Install Fail2ban

Fail2ban packages are automatically included in Ubuntu repositories. To install it, simply run the commands below.

sudo apt update
sudo apt install fail2ban

Once the installation is complete, the service should automatically start up and be ready to be configured.

To check if the service is up and operational, run the commands below:

sudo systemctl status fail2ban

You should see similar lines below:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enab>
     Active: active (running) since Thu 2021-03-11 15:26:00 CST; 23s ago
       Docs: man:fail2ban(1)
   Main PID: 2982 (f2b/server)
      Tasks: 5 (limit: 4654)
     Memory: 13.6M
     CGroup: /system.slice/fail2ban.service
             └─2982 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Mar 11 15:26:00 ubuntu2004 systemd[1]: Starting Fail2Ban Service.
Mar 11 15:26:00 ubuntu2004 systemd[1]: Started Fail2Ban Service.

Configure Fail2ban

Fail2ban is installed with these default configuration files: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

To configure Fail2ban, you should not change the configuration files above, as they may be overwritten when the packages are updated.

Fail2ban service reads the configuration files in the following order.

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/.local

Configuration files that end in .local override files that end with .conf.

So, make as many changes to the .local file as possible.

Most users should simply copy the jail.conf to create a jail.local file, then modify the .local file to implement their changes. You may not need all the settings copied over from the jail.conf file, only changes you want to overwrite in the jail.conf file.

Advanced users can simply create each jail. Local file and begin editing changes they want to implement.

For simplicity’s sake, we’re going to copy the jail.conf file to create the jail.local file. To do that, run the commands below:

sudo cp /etc/fail2ban/jail.{conf,local}

Then start editing the configuration file just created by running the commands below:

sudo nano /etc/fail2ban/jail.local

Your very first setting should be whitelisting known IP addresses. These are addresses that you may be connecting from and don’t want to get banned.

Edit the line to ignore these IPs:

ignoreip = 127.0.0.1/8 ::1 10.16.34.67 172.16.1.0/24

More settings to control how threats are restricted can be configured with these options: bantime, findtime, and maxretry.

The default bantime value is 10 mins. Change the value in seconds to change how long an IP should be banned.

#"bantime" is the number of seconds that a host is banned.
 bantime  = 10m

Findtime is the duration between the number of failures before a ban is set. The default value is 5 times.

To change that number, set the value for the line below:

#A host is banned if it has generated "maxretry" during the last "findtime"
#seconds.
 findtime  = 10m

Maxretry is the number of failures before an IP is banned. The default is 5. To change that number, modify the line below:

#"maxretry" is the number of failures before a host get banned.
 maxretry = 5

Jails Services

Fail2ban uses the concept of Jails. After analyzing the service logs for matching patterns, a service is jailed when a predefined condition is met. The corresponding actions defined in the configuration file are executed when the condition is met.

By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met.

For example, here’s SSH configuration with the above settings to limit threats and ban bad actors who want to brute force your SSH server.

# SSH servers
[sshd]
enable  = true
bantime = 10m
findtime = 10min
maxretry = 5
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

You can replicate other services in the list and add more you want to protect.

When you’re done adding your configuration settings, run the commands below to restart the Fail2ban service.

sudo systemctl restart fail2ban

Fail2ban also comes with a client tool that can be used to interact with the service.

Using its client tool, you can check the Fail2ban jail status for a particular service. For example, to check for SSH jail status, run the commands below:

sudo fail2ban-client status sshd

To unbind a particular IP address, run the commands below:

sudo fail2ban-client set sshd unbanip 192.168.1.1

To manually ban an IP address, run the commands below:

sudo fail2ban-client set sshd banip 192.168.1.1

That should do it!

Conclusion:

This post showed you how to install, configure, and use Fail2ban to protect Linux servers accessible from the Internet.

If you find any error above, please use the form below to report.

Like this:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.