In this article, we are going to shows that how to install and Setup Fail2ban on Ubuntu 18.04 | 20.04.
Fail2ban is an open-source tool that is used to protect your Linux servers from brute force, DDoS and other automated attacks by monitoring the services logs for malicious activity and identify the automated attacks. It is written in the Python programming language.
The Fail2ban uses regular expressions to scan the server’s and system logs for brute force, DDoS and other automated attacks, and bans offending IPs for a specific time using the system’s firewall.
Install Fail2ban on Ubuntu 18.04 | 20.04
Simply follow below steps to Install Fail2ban on Ubuntu 18.04 | 20.04:
Step 1 : Install Fail2ban
By default, Fail2ban packages comes with standard Ubuntu repositories. So simply Run the command below to install Fail2ban packages on your Ubuntu system:
sudo apt update
sudo apt install fail2ban
To verify the installation, run the command below:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled>
Active: active (running) since Sun 2021-03-14 10:21:00 UTC; 33s ago
Docs: man:fail2ban(1)
Main PID: 1251 (f2b/server)
Tasks: 5 (limit: 1097)
Memory: 13.4M
CGroup: /system.slice/fail2ban.service
└─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Step 2 : Fail2ban Configuration
By default, when you install Fail2ban, it is comes with two default configuration files that are /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.
You will not directly edit these configuration files to configure Fail2ban because these files can be overwritten when the packages are updated.
Fail2ban reads the configuration files in the following order. Each Configuration files that end in .local overrides the settings from the .conf
file.
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/.local
Now run the command below to copy the jail.conf
and save it as a jail.local
file:
sudo cp /etc/fail2ban/jail.{conf,local}
Then run the command below to start editing the jail.local configuration file using text editor:
sudo nano /etc/fail2ban/jail.local
The above command will open the configuration file as show below:
[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd
Whitelist known IP Address
To whitelisting known IP addresses, uncomment the line starting with ignoreip
and add your IP addresses separated by space as show below:
ignoreip = 127.0.0.1/8 ::1 15.18.24.57 192.168.1.0/24
configure Ban Settings
Bantime – Bantime is the number of seconds that a host is banned. The default bantime value is 10 mins. If you want to change bantime for an IP, change the its value as show below:
# "bantime" is the number of seconds that a host is banned.
bantime = 1d
Findtime – Findtime is the duration between the number of failures before a ban is set.
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 10m
Maxretry – maxretry
is the number of failures before a host gets banned. The default value for the maxretry
is 5
. To change its value, change the line as show below:
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
Fail2ban Jails Services
Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. By default, only SSH jail is enabled. You can add more services to the list that should be banned when conditions are met.
To enable the proftpd jail, follow the below instruction:
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
The SSH configuration with the settings discussed above, can be set per jail as show below:
# SSH servers
[sshd]
enable = true
bantime = 1d
findtime = 10min
maxretry = 5
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
When you done to editing a configuration file, you need to restart the Fail2ban service by running command below:
sudo systemctl restart fail2ban
Fail2ban Command Line Tool
Fail2ban comes with a command-line tool that is known as fail2ban-client
. It use to interact and manage the Fail2ban service.
Run the command with the -h
option to view all available options for fail2ban-client as show below:
fail2ban-client -h
Check the Fail2ban jail status:
sudo fail2ban-client status sshd
Unban a particular IP address:
sudo fail2ban-client set sshd unbanip 198.178.11.1
Ban a particular IP address:
sudo fail2ban-client set sshd banip 198.178.11.1
That’s all.
If you face any error and issue in above steps , please use comment box below to report.
If our tutorials helped you, please consider buying us a coffee. We appreciate your support!
Thank you for your support.