Fail2ban is a popular intrusion detection system for Linux. It monitors log files to identify automated attacks and failed login attempts. Once it identifies the IP address responsible for the intrusion, Fail2ban immediately blocks that IP address. It is very useful in blocking brute force attacks. It is really easy to install and use Fail2ban. Here are the steps to install Fail2ban in Ubuntu.
How To Install fail2ban in Ubuntu
Here are the steps to install Fail2ban in Ubuntu.
1. Update Ubuntu
Open terminal and run the following commands to update Ubuntu system.
$ sudo apt-get update $ sudo apt-get upgrade
Also read: How to Find Top memory consuming processes in Linux
2. Install Fail2ban
Run the following command to install fail2ban.
$ sudo apt-get install -y fail2ban
Also read : How to Open firewall port in Linux
3. Enable Fail2ban
Start and enable fail2ban with the following commands
$ sudo systemctl start fail2ban $ sudo systemctl enable fail2ban
You can check the status of fail2ban using the following command
$ sudo systemctl status fail2ban
You will see an output like the one below. The part in bold below indicates that fail2ban is running properly.
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
Docs: man:fail2ban(1)
Main PID: 1251 (f2b/server)
Tasks: 5 (limit: 1079)
Memory: 13.8M
CGroup: /system.slice/fail2ban.service
└─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Also read : How to Install pip in Ubuntu Linux
4. Configure Fail2ban
There are 4 configuration files available for fail2ban. It reads these files in the following order:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/.local
In the above list, the lower files can override the upper ones.
Typically, people copy the default jail.conf to jail.local and update it.
We will copy the jail.conf file as shown below
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open jail.local with a text editor
$ sudo vi /etc/fail2ban/jail.local
In this file, you will find different sections, each of which is well commented about what it does.
Also read : How to Change Root Password in Linux
We will look at some basic settings
ipignore – used to ban IP addresses and ranges. To ban one or more IP addresses, uncomment the line starting with ipignore and add ip addresses in a comma-separated manner. Here’s an example.
ipignore = 127.0.0.1/8 ::1 23.23.23.23 192.125.1.0/24
bantime – duration of ban. Default value is 10 minutes. Here’s an example to set it to 1 day.
bantime = 1d
findtime – duration in which the specified number of failures or attacks must occur. If you have set fail2ban to ban an ip after 3 failures, then they must occur within findtime value. Here’s an example
findtime = 10m
maxretry – maximum number of failures before an IP is banned. For example,
maxretry = 5
For example, if you add the following lines to your fail2ban configuration, then it will ban any ip address after 3 failed SSH login attempts. Since we have specified port 22 in our configuration, Fail2ban will monitor this port for malicious activities.
[sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 1d findtime = 10m
Also read : How to Upgrade Python in Ubuntu
5. Test & Unban IP address
Try logging into your server via SSH and fail all the times by passing incorrect credentials. After the 3rd attempt, you will not be able to SSH into your server.
Fail2ban ships with a client that allows you to manage its service. You can use it to unban an IP address.
Unban IP address (e.g 54.34.21.12)
$ sudo fail2ban-client set sshd unbanip 54.34.21.12
Ban IP address (e.g 54.34.21.12)
$ sudo fail2ban-client set sshd banip 54.34.21.12
As you can see, it is very easy to install and configure fail2ban in Ubuntu.