Have you recently purchased a Virtual Private Server (VPS) or any server that is connected to the Internet? Are you aware that your server is at risk for malicious attacks?
Don’t worry!
This guide will assist you in setting up your Ubuntu server securely with Fail2Ban.
We will walk you through the installation process, and you can ensure that your server is secured and protected from malicious actors.
Fail2ban is a tool that helps protect your Linux machine from malicious attacks. It looks at service logs to find suspicious activity and if it sees enough of it, it blocks the IP address from accessing the system for a set amount of time. When the ban expires, the IP address is allowed to access the system again.
Installing Fail2ban on Ubuntu
- Enter the following command as root or user with sudo privileges:
sudo apt update
sudo apt install fail2ban- Once the installation is completed, run the following command to check the status:
sudo systemctl status fail2ban- This will show you that the service is active and successfully running.
Understanding Fail2Ban Configuration
- There are two main configuration files in Fail2Ban:
/etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf - /etc/fail2ban/fail2ban.conf — This is the configuration file for the operational settings like log level, log file, socket and pid file of the Fail2Ban daemon
- /etc/fail2ban/jail.conf — This is the file where you can configure things like default ban time, number of retries before banning an IP, and whitelisting IPs.
- jail.conf consists of several settings but we will only focus on a few:
bantime - Duration that a host is banned.
maxretry - Number of failed retries before an action is taken.
findtime - Window time in which the action on an IP will be taken.
Default is 10 minutes. For example: a bad login was attempted
by a certain IP at 11:30AM. If the same IP reaches the maximum
number of retries before 11:40AM, it will be banned.
Otherwise, the next failed attempt after 11:40 will be counted
as first failed attempt.
ignoreip - List of IPs that are whitelisted from any Fail2Ban action.Configuring Fail2Ban Jails
- We will only need to update jail.conf file, but Fail2Ban advises to make a copy with .local file. This is because the default files can be overwritten in updates and you’ll lose all your settings.
- Enter the following command to create a jail.local file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local- Edit the jail.local file by using the vi editor:
vi /etc/fail2ban/jail.local- Press i to trigger Insert mode
- Find the following settings and update them as you see fit. Below are some sample configurations:
bantime = 60m
maxretry = 5
findtime = 10m
ignoreip = 127.0.0.1/8 ::1 10.0.0.1
wherein IPs are separated by spaces
(127.0.0.1/8 and ::1 are loopback addresses
or your system address;
10.0.0.1 is a sample IP that you want to be
whitelisted)- Save the file by doing the following:
Press Esc
Type :wq!
Hit Enter - Finally, restart the Fail2Ban:
systemctl start fail2ban
systemctl enable fail2banChecking Fail2Ban Status and Logs
- To check the status, enter the following command:
fail2ban-client status- Fail2Ban log is located at /var/log/fail2ban.log
Unban IP Blocked by Fail2Ban
- First, let’s check whether the target IP is blocked or not.
iptables -n -L- If you found the target IP address in the output, it means it is banned.
- Check which jail the IP is blocked
grep -E 'Ban.*10.0.0.1' /var/log/fail2ban.log- Output should look like this:
fail2ban.actions [25630]: NOTICE [sshd] Ban 10.0.0.1- The output above means that IP 10.0.0.1 is jailed in sshd.
- Use the command format below to unban the IP
fail2ban-client set sshd unbanip 10.0.0.1