How to install and Setup Fail2ban on Ubuntu 18.04 | 20.04

How to install and Setup Fail2ban on Ubuntu 18.04 20.04

In this article, we are going to shows that how to install and Setup Fail2ban on Ubuntu 18.04 | 20.04.

Fail2ban is an open-source tool that is used to protect your Linux servers from brute force, DDoS and other automated attacks by monitoring the services logs for malicious activity and identify the automated attacks. It is written in the Python programming language.

The Fail2ban uses regular expressions to scan the server’s and system logs for brute force, DDoS and other automated attacks, and bans offending IPs for a specific time using the system’s firewall.


Install Fail2ban on Ubuntu 18.04 | 20.04

Simply follow below steps to Install Fail2ban on Ubuntu 18.04 | 20.04:

Step 1 : Install Fail2ban

By default, Fail2ban packages comes with standard Ubuntu repositories. So simply Run the command below to install Fail2ban packages on your Ubuntu system:

sudo apt update
sudo apt install fail2ban

To verify the installation, run the command below:

sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled>
     Active: active (running) since Sun 2021-03-14 10:21:00 UTC; 33s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1097)
     Memory: 13.4M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Step 2 : Fail2ban Configuration

By default, when you install Fail2ban, it is comes with two default configuration files that are /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

You will not directly edit these configuration files to configure Fail2ban because these files can be overwritten when the packages are updated.

Fail2ban reads the configuration files in the following order. Each Configuration files that end in .local overrides the settings from the .conf file.

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/.local

Now run the command below to copy the jail.conf and save it as a jail.local file:

sudo cp /etc/fail2ban/jail.{conf,local}

Then run the command below to start editing the jail.local configuration file using text editor:

sudo nano /etc/fail2ban/jail.local

The above command will open the configuration file as show below:

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd

Whitelist known IP Address

To whitelisting known IP addresses, uncomment the line starting with ignoreip and add your IP addresses separated by space as show below:

ignoreip = 127.0.0.1/8 ::1 15.18.24.57 192.168.1.0/24

configure Ban Settings

Bantime – Bantime is the number of seconds that a host is banned. The default bantime value is 10 mins. If you want to change bantime for an IP, change the its value as show below:

# "bantime" is the number of seconds that a host is banned.
bantime = 1d

Findtime – Findtime is the duration between the number of failures before a ban is set.

# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 10m

Maxretry –  maxretry is the number of failures before a host gets banned. The default value for the maxretry is 5. To change its value, change the line as show below:

# "maxretry" is the number of failures before a host gets banned.
maxretry = 5

Fail2ban Jails Services

Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met.

To enable the proftpd jail, follow the below instruction:

[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The SSH configuration with the settings discussed above, can be set per jail as show below:

# SSH servers
[sshd]
enable  = true
bantime = 1d
findtime = 10min
maxretry = 5
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

When you done to editing a configuration file, you need to restart the Fail2ban service by running command below:

sudo systemctl restart fail2ban

Fail2ban Command Line Tool

Fail2ban comes with a command-line tool that is known as fail2ban-client. It use to interact and manage the Fail2ban service.

Run the command with the -h option to view all available options for fail2ban-client as show below:

fail2ban-client -h

Check the Fail2ban jail status:

sudo fail2ban-client status sshd

Unban a particular IP address:

sudo fail2ban-client set sshd unbanip 198.178.11.1

Ban a particular IP address:

sudo fail2ban-client set sshd banip 198.178.11.1

That’s all.

If you face any error and issue in above steps , please use comment box below to report.

If our tutorials helped you, please consider buying us a coffee. We appreciate your support!

Thank you for your support.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top