Fail2ban is a powerful utility that protects your Linux system from different kinds of malicious attacks such as brute force attacks. It does this by constantly monitoring log files to identify automated attacks and failed logins. Fail2ban uses regular expressions to scan log files and identify all such instances. When their count crosses a specific threshold, it blocks the IP address/addresses responsible for it, for a specific period of time. In this article, we will learn how to install fail2ban in Ubuntu.
How to Install Fail2ban in Ubuntu
Here are the steps to install Fail2ban in Ubuntu and other Debian systems.
First of all, login as root user or user with sudo privileges and run the following command to update your system.
$ sudo apt update
Next, run the following command to install Fail2ban.
$ sudo apt-get install fail2ban
You may see a confirmation prompt during installation, enter y or Y to proceed.
Once installation is complete, run the following command to verify installation.
$ sudo systemctl status fail2ban
You will see the following kind of output.
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-08-19 06:16:29 UTC; 27s ago Docs: man:fail2ban(1) Main PID: 1051 (f2b/server) Tasks: 5 (limit: 1079) Memory: 11.8M CGroup: /system.slice/fail2ban.service └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Run the following command to start Fail2ban at system reboot.
$ sudo systemctl enable fail2ban
Fail2ban Configuration
When you install Fail2ban in Ubuntu, it will also install 4 configuration files at the following locations:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/.local
In the above list, the lower files override the upper ones. Generally, administrators copy jail.conf and jail.local file and makes changes to them.
Each of these files has different sections with comments mentioning what they do. We will look at some of the most commonly used sections.
ipignore – it is used to ban IP addresses and ranges. You can add these IP addresses in a comma separated manner. Here is an example.
ipignore = 127.0.0.1/8 ::1 23.23.23.23 192.125.1.0/24
bantime – duration of ban. The default value of ban is 10 minutes. You can even set it to 1 day.
bantime = 1d
findtime – the time duration in which specific number of failures must occur for an IP address to be banned. For example, if you set Fail2ban to ban IP after 4 failures and a findtime of 10 minutes, then the 4 failures must occur within 10 minutes for that IP to be banned.
findtime = 10m
maxretry – maximum number of failures before an IP is banned. Here is the setting to ban IP after 4 attempts.
maxretry = 4
For example, if you add the following lines to your Fail2ban configuration, it will ban IP address after 3 failed SSH login attempts. Since we have specified port 22 Fail2ban will monitor this port.
[sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 1d findtime = 10m
Fail2ban also ships with a client that allows you to ban and unban IP address from command line itself. Here is the command to ban IP address.
$ sudo fail2ban-client set sshd unbanip 54.34.21.12
Here is the command to ban IP address.
$ sudo fail2ban-client set sshd banip 54.34.21.12
Fail2ban can also send email notifications to system administrator whenever an IP is banned. For this, you need to have an SMTP service installed on your server and change the default action from simple ban to ban+email in the Fail2ban configuration file.
action = %(action_mw)s
If you also want to include relevant log information, use the following configuration instead.
action = %(action_mwl)s
You can also set the sender and receiver email addresses using the following directives. destemail can be any valid email address of recipient but sender email must correspond to the email address configured in your server’s SMTP service.
destemail = admin@example.com sender = root@example.com
Fail2ban offers tons of features. You can learn more about it using man pages.
man fail2ban
In this article, we have learnt how to install and configure Fail2ban in Ubuntu.
Also read:
How to Open Port in Linux
How to Create Remote Git Repository
How to Enable Keep Alive in NGINX
How to Use Git Shallow Clone
How to Redirect 403 to 404 in Apache
Related posts:
Sreeram Sreenivasan loves coding & writing tech articles. He has helped many Fortune 500 companies in the areas of BI & software development. He has more than 10 years of experience in web development, Python, Linux, SQL and database programming.