how to install fail2ban in ubuntu

How To Install fail2ban in Ubuntu

Fail2ban is a popular intrusion detection system for Linux. It monitors log files to identify automated attacks and failed login attempts. Once it identifies the IP address responsible for the intrusion, Fail2ban immediately blocks that IP address. It is very useful in blocking brute force attacks. It is really easy to install and use Fail2ban. Here are the steps to install Fail2ban in Ubuntu.

How To Install fail2ban in Ubuntu

Here are the steps to install Fail2ban in Ubuntu.

1. Update Ubuntu

Open terminal and run the following commands to update Ubuntu system.

$ sudo apt-get update 
$ sudo apt-get upgrade

Also read: How to Find Top memory consuming processes in Linux

2. Install Fail2ban

Run the following command to install fail2ban.

$ sudo apt-get install -y fail2ban

Also read : How to Open firewall port in Linux

3. Enable Fail2ban

Start and enable fail2ban with the following commands

$ sudo systemctl start fail2ban 
$ sudo systemctl enable fail2ban

You can check the status of fail2ban using the following command

$ sudo systemctl status fail2ban

You will see an output like the one below. The part in bold below indicates that fail2ban is running properly.

● fail2ban.service - Fail2Ban Service
      Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
      Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
        Docs: man:fail2ban(1)
    Main PID: 1251 (f2b/server)
       Tasks: 5 (limit: 1079)
      Memory: 13.8M
      CGroup: /system.slice/fail2ban.service
              └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Also read : How to Install pip in Ubuntu Linux

4. Configure Fail2ban

There are 4 configuration files available for fail2ban. It reads these files in the following order:

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/.local

In the above list, the lower files can override the upper ones.

Typically, people copy the default jail.conf to jail.local and update it.

We will copy the jail.conf file as shown below

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open jail.local with a text editor

$ sudo vi /etc/fail2ban/jail.local

In this file, you will find different sections, each of which is well commented about what it does.

Also read : How to Change Root Password in Linux

We will look at some basic settings

ipignore – used to ban IP addresses and ranges. To ban one or more IP addresses, uncomment the line starting with ipignore and add ip addresses in a comma-separated manner. Here’s an example.

ipignore = ::1

bantime – duration of ban. Default value is 10 minutes. Here’s an example to set it to 1 day.

bantime = 1d

findtime – duration in which the specified number of failures or attacks must occur. If you have set fail2ban to ban an ip after 3 failures, then they must occur within findtime value. Here’s an example

findtime = 10m

maxretry – maximum number of failures before an IP is banned. For example,

maxretry = 5

For example, if you add the following lines to your fail2ban configuration, then it will ban any ip address after 3 failed SSH login attempts. Since we have specified port 22 in our configuration, Fail2ban will monitor this port for malicious activities.

enabled = true 
port = 22 
filter = sshd 
logpath = /var/log/auth.log 
maxretry = 3
bantime = 1d
findtime = 10m

Also read : How to Upgrade Python in Ubuntu

5. Test & Unban IP address

Try logging into your server via SSH and fail all the times by passing incorrect credentials. After the 3rd attempt, you will not be able to SSH into your server.

Fail2ban ships with a client that allows you to manage its service. You can use it to unban an IP address.

Unban IP address (e.g

$ sudo fail2ban-client set sshd unbanip

Ban IP address (e.g

$ sudo fail2ban-client set sshd banip

As you can see, it is very easy to install and configure fail2ban in Ubuntu.

Leave a Reply

Your email address will not be published. Required fields are marked *