A couple of days ago, i was just lying on the couch scrolling reels and suddenly i got a mail from my hosting provider stating that they has noticed a lot of unsuccessful SSH login attempts to my server. I panicked and realised that i forgot to configure Fail2ban on my server. I quickly checked /var/log/auth.log and ran journalctl -u ssh and found a huge list of unsuccessful login attempts. I quickly configured Fail2ban on my server and monitored for 6 hours straight and it worked. So i thought to share the same with you.
Why Fail2ban?
Let me tell you that Fail2ban is one of the best tool to safeguard your server. It that adds a strong layer of shield for your server. The best part is that Fail2ban is completely free and open source and anyone can use it. You won’t believe but Fail2ban is most popular amongst the server admins.
What is Fail2ban?
Basically Fail2ban is a intrusion prevention tool that works with server’s firewall. It reads and analyses all the logs and decide whether to block an IP or allow it based on how Fail2ban is configured. You can configure it to ban an IP for sometime or to ban it permanently.
How Fail2ban Works?
It works on a simple logic that whenever someone tries to login to the server using SSH, a log is created by the firewall and systemd. Fail2ban reads the logs and let’s suppose you have configured it to ban on 5 wrong attempts within 5 minutes, once the limit reached, Fail2ban bans the IP.
So lets see how we can configure Fail2ban on Ubuntu 24.04
Table of Contents
Prerequisite
- Fully configured firewall
- A sudo user
Step 1 – Updating the Server
The first step before installing Fail2ban is to update our server, so execute the following command
sudo apt update -y
sudo apt upgrade -yStep 2 – Installing Fail2ban
Next step is to install Fail2ban, so run the given below command
sudo apt install fail2ban -yStep 3 – Configure Fail2ban
Third step is to configure Fail2ban. For this, we will create a copy of the main file “/etc/fail2ban/jail.conf” as “jail.local” and make all the changes to “jail.local” so that our configuration always stays in place even if Fail2ban gets an update.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow lets open the “jail.local” file in nano editor
sudo nano /etc/fail2ban/jail.localNow search for [sshd] section and make changes as shown below
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600Note:- Remember, findtime and bantime are in seconds, you can adjust these in hours as well for example 1h, 2h etc.
Here is what these options means
- enabled = true – This will enable the SSH jail.
- port = ssh – This will port or service you want to protect.
- filter = sshd – Name of the filter/jail.
- logpath = /var/log/auth.log – Path of the logs file which has to be monitored.
- maxretry = 3 – Number of failed or retry attempts.
- findtime = 600 – The time period during which the failed attempts are considered for banning.
- bantime = 3600 – Time in seconds for the IP to be kept as banned.
Save the file using ctrl+x, y and hit enter.
Let’s check if the file is valid. Execute the given below command
sudo fail2ban-client -tStep 4 – Enable and Start Fail2ban
To enable and start the Fail2ban service, just run the commands below
sudo systemctl enable fail2ban
sudo systemctl start fail2banStep 5 – Check Fail2ban Status
To check the status of Fail2ban, you can run the given below command
sudo fail2ban-client statusTo check the status of the jails like how many IP’s have been banned and other things, you can run
sudo fail2ban-client status <jail name>for example
sudo fail2ban-client status sshdIn order to check whether Fail2ban status is working fine, you can intentionally try to login using random credentials repeatedly. As the maxretry limit is reached, your IP will be banned.
Conclusion
I would suggest all of your to configure Fail2ban on your servers because if your server is out on the internet, you will definitely have lots and lots of login attempts. If you have any queries or issues, just drop in the comment box below.
Leave a Reply