How to install and configure Fail2ban on Ubuntu 20.04

Any service connected to the Internet is at risk of malware attacks. For example, if you run a service on a public network, attackers can use brute force attempts to log into your account.

Fail2ban is a tool that helps protect your Linux computer from brute force and other automated attacks by monitoring service logs for malicious activity. It uses regular expressions to scan log files. All entries that match the patterns are counted and when their number reaches a certain predefined threshold, Fail2ban blocks the offending IP address with the system firewall for a specified period of time. When the ban expires, the IP address is removed from the ban list.

This article describes how to install and configure Fail2ban on Ubuntu 20.04.

Installing Fail2ban on Ubuntu

The Fail2ban package is included in the default Ubuntu 20.04 repositories. To install it, enter the following command as root or a user with sudo privileges:

sudo apt update
sudo apt install fail2ban

After the installation is complete, the Fail2ban service will start automatically. You can verify this by checking the status of the service:

sudo systemctl status fail2ban

The result will look like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

That’s all. At this point, you have Fail2Ban running on your Ubuntu server.

Fail2ban configuration

A standard Fail2ban installation includes two configuration files /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files, as they may be overwritten when the package is updated.

Fail2ban reads configuration files in the following order. Each .local file overrides the settings from the .conf file:

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/*.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/*.local

For most users, the easiest way to set up Fail2ban is to copy jail.conf to jail.local and modify the .local file. More advanced users can create a .local configuration file from scratch. The .local file does not have to include all the options from the corresponding .conf file, only the ones you want to replace.

Create config file .local from default jail.conf file:

sudo cp /etc/fail2ban/jail.{conf,local}

To start configuring the Fail2ban server, open the jail.local file in your favorite text editor:

sudo cp /etc/fail2ban/jail.local

The file includes comments describing what each configuration parameter does. In this example, we will change the basic settings.

Add IP addresses to whitelist

You can add IP addresses, IP ranges, or hosts to the ignoreip directive that you want to exclude from the ban. Here you have to add the IP address of your local PC and all other machines that you want to whitelist.

Uncomment the line starting with ignoreip and add your IP addresses separated by a space:

/etc/fail2ban/jail.local

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Ban settings

Variants of the bantime, findtime and maxretry values ​​for determining the ban time and the ban condition.

bantime is the period for which the IP is blocked. If no suffix is ​​specified, the default is seconds. By default, the bantime is set to 10 minutes. Generally, most users want to set a longer blocking time. Change the value to your liking:

/etc/fail2ban/jail.local

bantime  = 1d

To permanently ban an IP, use a negative number.

findtime is the time interval between the number of failures before the ban is set. For example, if Fail2ban is configured to deny an IP address after five failures (see maxretry below), those failures must occur within the specified findtime.

/etc/fail2ban/jail.local

findtime  = 10m

maxretry is the number of failures before the IP address was blocked. The default is five, which should be fine for most users.

/etc/fail2ban/jail.local

maxretry = 5

Email notifications

Fail2ban can send email notifications when an IP is blocked. To receive emails, you need to install SMTP on your server and change the default action, which only prohibits IP% (action_mw) s, as shown below:

/etc/fail2ban/jail.local

action = %(action_mw)s

% (action_mw) s will block the offending IP address and send an email with a Whois report. If you want to include relevant logs in the email, set the action to% (action_mwl) s.

You can also set up send and receive email addresses:

/etc/fail2ban/jail.local

destemail = [email protected]

sender = [email protected]

Prisons Fail2ban

Fail2ban uses the concept of prisons. Jail describes the service and includes filters and actions. Log entries matching the search pattern are counted and actions are taken when a predefined condition is met.

Fail2ban comes with several jails for various services. You can also create your own jail configurations.

By default, only ssh jail is enabled. To enable jail, you need to add enabled = true after the jail header. The following example shows how to enable jail in proftpd:

/etc/fail2ban/jail.local

[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The parameters we discussed in the previous section can be set for each jail. Here’s an example:

/etc/fail2ban/jail.local

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have personalization and experience with regular expressions, you can fine-tune your filters.

Every time you edit the configuration file, you need to restart the Fail2ban service for the changes to take effect:

sudo systemctl restart fail2ban

Fail2ban client

Fail2ban comes with a command line tool named fail2ban-client that you can use to interact with the Fail2ban service.

To view all available options, run the command with the -h option:

fail2ban-client -h

This tool can be used to block / unblock IP addresses, change settings, restart a service, and more. Here are some examples:

  • Check the jail status:
    sudo fail2ban-client status sshd
  • Unblock IP:
    sudo fail2ban-client set sshd unbanip 23.34.45.56
  • Deny IP:
    sudo fail2ban-client set sshd banip 23.34.45.56

Output

We showed you how to install and configure Fail2ban on Ubuntu 20.04.

For more information on this topic visit the Fail2ban documentation.

If you have any questions, do not hesitate to leave comments below.

Sidebar