Linux

How to Install and Configure Fail2ban on Ubuntu 20.04

How to Install and Configure Fail2ban on Ubuntu 20.04

Any service that is exposed to the Internet is at risk of being attacked by malware. For example, if you are running a service on a publicly available network, attackers could use brute force attempts to break into your account.

Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring service logs for malicious activity. It uses regular expressions to scan log files. All entries that match the pattern are counted, and when the number reaches a certain predetermined threshold, Fail2ban prohibits the breaking IP from using the system firewall for a certain period of time. When the ban period ends, the IP address is removed from the ban list.

This article describes how to install and configure Fail2ban on Ubuntu 20.04.

Installing Fail2ban on Ubuntu

The Fail2ban package is included in the default Ubuntu 20.04 repositories. To install it, enter the following command as root or user with sudo privileges:

sudo apt update
sudo apt install fail2ban

After the installation is complete, the Fail2ban service will start automatically. You can verify it by checking the service status:

sudo systemctl status fail2ban

The output will look like this:

Output :

fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

There she is. At this point, you have Fail2Ban running on your Ubuntu server.

Fail2bn configuration

The default install of Fail2ban comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files because they might be overwritten when the package is updated.

Fail2ban reads configuration files in the following order. Each .local file overrides the settings from the .conf file:

 /etc/fail2ban/jail.conf
 /etc/fail2ban/jail.d/*.conf
 /etc/fail2ban/jail.local
 /etc/fail2ban/jail.d/*.local

For most users, the easiest way to configure Fail2ban is to copy jail.conf to jail.local and modify the .local file. More advanced users can create .local configuration files from scratch. The .local file doesn’t have to include all of the settings from the appropriate .conf file, only the ones you want to overwrite.

Create a .local configuration file from the default jail.conf file:

sudo cp /etc/fail2ban/jail.{conf,local}

To begin configuring the Fail2ban server, open the jail.local file with your text editor:

sudo cp /etc/fail2ban/jail.local

The file includes comments describing what each configuration option does. In this example, we will change the basic settings.

IP Address White List

IP addresses, IP ranges or hosts that you wish to exclude from blocking can be added to the ignore instructions. Here you will need to add the IP address of your local PC and all other machines you wish to whitelist.

Uncomment the lines starting with ignoreip and add your IP addresses separated by spaces:

/etc/fail2ban/jail.local

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Tire Settings

The bantime, findtime, and maxretry values determine the tire time and tire condition.

bantime is the duration the IP is prohibited. If no suffix is specified, the default is seconds. By default, the bantime value is set to 10 minutes. Generally, most users want to set a longer ban time. Change the value to your liking:

/etc/fail2ban/jail.local

bantime  = 1d

To permanently ban IP, use negative numbers.

findtime is the duration between the number of failures before the ban is set. For example, if Fail2ban is set to ban IP after five failures (maxretry, see below), the failure must occur within the duration of the search time.

/etc/fail2ban/jail.local

findtime  = 10m

maxretry is the number of failures before IP was banned. The default value is set to five, which should be fine for most users.

/etc/fail2ban/jail.local

maxretry = 5

Email notification

Fail2ban can send email alerts when IP has been banned. In order to receive email, you have to install SMTP on your server and change the default action which only prohibits IP to% (action_mw) s, as shown below:

/etc/fail2ban/jail.local

action = %(action_mw)s

% (action_mw) s will block the infringing IP and send an email with a whois report. If you want to include relevant logs in the email, set the action to% (action_mwl) s.

You can also customize the sender and recipient email addresses:

/etc/fail2ban/jail.local

destemail = admin@uberhowto.com

sender = root@uberhowto.com

Fail2ban Prison

Fail2ban uses the concept of prison. The prison describes services and includes filters and actions. Log entries that match the lookup pattern are counted and when the predefined conditions are met, the appropriate action is executed.

Fail2ban is shipped with a number of prisons for different services. You can also create your own jail configuration.

By default, only the ssh jail is enabled. To activate a jail you need to add enabled = true after the jail title. The following example shows how to activate the proftpd jail:

/etc/fail2ban/jail.local

[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The settings we discussed in the previous section, can be set per jail. Here's an example:

/etc/fail2ban/jail.local

[sshd]
enabled = true
maxretry = 3
search time = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 23.34.45.56

The filters are located in the /etc/fail2ban/filter.d directory, saved in a file with the same name as the jail. If you have a special setup and experience with regular expressions, you can fine-tune filters.

Every time you edit the configuration file, you need to restart the Fail2ban service for the changes to take effect:

sudo systemctl restart fail2ban

Fail2ban client

Fail2ban ships with a command line tool called fail2ban-client which you can use to interact with the Fail2ban service.

To see all available options, call the command with the -h option:

fail2ban-client -h

This tool can be used to ban / unbind IP addresses, change settings, restart services and more. Here are a few examples:

Check prison status:
sudo fail2ban-client status sshd

IP address:

sudo fail2ban-client set sshd unbanip 23.34.45.56

Ban an IP:

sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

We have shown you how to install and configure Fail2ban on Ubuntu 20.04.

For more information on this topic, visit the Fail2ban documentation.

If you have any questions, feel free to leave a comment below.

Related posts

How to Set Up WireGuard VPN on CentOS 8

Linux

How to Configure a Static IP Address on Ubuntu 20.04

Linux

How To Remove Snap From Ubuntu

Linux

How to Install MariaDB on Ubuntu 20.04

Linux

How to Activate Dark Mode on Ubuntu 20.04 LTS

Howto

How to Install Android Studio on Ubuntu 20.04

Linux

How to Install the Rudder System Audit Tool on Ubuntu 20.04

Linux

How to Set Up an Elasticsearch cluster with Multiple Nodes

Linux

How to Play PS2 Games on Ubuntu Using PCSX2

Linux