How to Install and Configure Fail2Ban on Ubuntu?

Don't Forget to Share


If you are into system administration, I hope you are well aware of what SSH is. It’s the easiest and most convenient way to connect to a server. It’s like the door of the house, and you have the key to open the door. Usually, many hosting providers provide SSH keys so that the system administrators can log in to their server and perform the activities. But many administrators prefer password-based login rather than key-based login, which is considered less secure than key-based login. That means if someone wants, they just have to try guessing the password to get access to your server. There is already a very famous method to guess the password is brute-force. If you are unaware of what brute-force is, I would suggest you do a bit of research.

This is the scenario where Fail2ban comes into play. Fail2ban is a tool that works within the server, allowing us to secure our password-based SSH login. Here in this tutorial, I will guide you on how to install and configure Fail2Ban on Ubuntu.

What is Fail2ban?

Fail2ban is a tool that works like an intrusion detection system, offering security to password-based SSH login sessions. You can use fail2ban to ban the IPs that try to guess your SSH password. Fail2ban can be configured to ban the IPs after a number of unsuccessful login attempts for a specific amount of time. You can even unban the IPs later on.

How does Fail2ban work?

Fail2ban continuously scans the server logs and, as it finds suspicious activity from a specific IP, it blocks the IP. No doubt fail2ban starts working out of the box, but in some cases, you might need to configure it.

Advantages of using Fail2ban

No doubt, fail2ban is the best choice for a server administrator because it offers many features. It bans the IP that uses the wrong credentials many times to log in to your server. It sends an email to the system administrator containing all the details. You can even unban the IP when required. The best part of using Fail2ban is that it can send you an email alert too. However, you will also need to configure the email server.

Install and Configure Fail2Ban on Ubuntu

You can install Fail2ban on any of the Linux OS. It is free to use and works the same way in all Linux distros. This tutorial not only works on Ubuntu, but you can use it to configure Fail2ban on almost any Linux distribution.

Prerequisites

You just need an Ubuntu VPS with a user having root or sudo privileges

Step 1 – Install Fail2ban

Since fail2ban is already available in Ubuntu’s repository, you can just start installing it by executing the commands below.

# sudo apt update -y
# sudo apt install fail2ban –y

Step 2 – Fail2ban configuration

Let’s first copy the configuration file to which we will make the required changes so that even if fail2ban gets updated, our configuration remains in place.

# sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, let’s do the required configuration

# sudo nano /etc/fail2ban/jail.local

Find “backend” and change it to

backend systemd

Then scroll down to the “JAILS” section and under “[sshd]“, enter the following

enabled = true
maxretry = 5
bantime = 3600

For the Apache web server

Under “HTTP servers” find “[apache-auth]” and add the given below details

enabled = true
maxretry = 5
bantime = 3600

For the Nginx web server

Under “HTTP servers” find “[nginx-http-auth]” and add the given below details

enabled = true
maxretry = 5
bantime = 3600

Save the file, and now let’s test Fail2ban for any syntax errors

# sudo fail2ban-client -t

If you get a message as “successful“, you have configured everything the right way. So, just enable Fail2ban and start the Fail2ban service

# sudo systemctl enable fail2ban --now
# sudo systemctl start fail2ban

To check what jails are working on your server, just execute the command below.

# sudo fail2ban-client status

To check whether the service is working fine and without any errors, execute the command below

# sudo systemctl status fail2ban

Ban IPs with Repetitive Incorrect Login for Longer or Permanently

The best part of using Fail2ban is that it comes with a feature called “recidive”. Now, why is it the best? because it blocks the IP address that attempts to log in with incorrect credentials more than 5 times.

You can even permanently ban such IPs. So, how to do that? Follow here

Open “/etc/fail2ban/jail.local“.

# sudo nano /etc/fail2ban/jail.local

Find “[recidive]” and add or modify as shown below

enabled = true
Note:- To ban for a month you can change "bantime  = 1w" to "bantime  = 2592000" and if you want to permanently ban the IPs, then change it to "bantime  = -1"

Now restart the fail2ban service and check which all jails are enabled.

# sudo systemctl restart fail2ban
# sudo fail2ban-client status

Also, check if there is any such IP that is permanently banned.

# sudo fail2ban-client status recidive

Unban an IP from Fail2ban

What if a system administrator or trusted person is banned from the server, and you want to unban the IP so that the administrator can access the server?. To unban an IP from fail2ban, the first step is to check the list of IPs that are banned by fail2ban using

# sudo fail2ban-client status JAIL-NAME
Note:- change the JAIL-NAME to the jail name shown using # sudo fail2ban-client status. For Example: sshd

Now, just execute the command below to unban the specific IP.

# sudo fail2ban-client set JAIL-NAME unbanip IP-ADDRESS
Note:- Make sure to replace JAIL-NAME and IP-ADDRESS from the IP and jail name you have configured

Conclusion

With this, you have configured Fail2ban on your server. You can now manage the IPs as per your needs.

Tags
Don't Forget to Share
Sourabh Verma
Sourabh Verma

Hi, I am Sourabh. With over 12 years of experience in Linux, Windows, servers, databases and other I.T related areas, I make sure to publish easy and well tested tutorials and opinions. I hope you like my work. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *