In this tutorial we will show you how to install and configure Fail2Ban on your Ubuntu VPS.
WHAT IS FAIL2BAN
Fail2Ban is the most famous application that can prevents dictionary attacks on your server.
– You may ask how it is work?
Well, when Fail2Ban detects multiple failed login/attempts from the same IP address on your server, it creates temporary firewall rules that block traffic from that IP address.
Attempted logins can be monitored using many different ways, including SSH, HTTP, SMTP etc… By default, Fail2Ban monitors SSH only.
HOW TO INSTALL FAIL2BAN?
To install Fail2Ban First, you will need to log in to your VPS as ROOT via SSH. Once you are in the first thing you need to do is to downloads the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies. It will do this for all repositories and PPAs. To do that just type:
The next step/command will actually update all the software on your VPS. So, type:
After that you can install Fail2Ban by entering the following command:
sudo apt-get install fail2ban
and that’s it.
The program is now installed. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in “/var/log/fail2ban.log“.
Once Fail2Ban is installed you can find all it’s configuration files in the ”/etc/fail2ban” directory. To enter the ”/etc/fail2ban” type:
Once you enter the directory you will notice that there is a file called “jail.conf” which holds all the Fail2Ban configuration defaults. It is not recommended to edit this file directly because it can be modified by the package upgrades and all the changes that we do can be lost so we will need to create a copy. To do that type:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Once the file is copied, we can open/edit it and see how everything works:
There are few setting in the file that you will want to adjust. It is also important to know that all the settings located under the
[DEFAULT] section will be applied to all the services enabled for Fail2Ban that are not overridden in the service’s own section.
One of the many things you can adjust is the source addresses that Fail2Ban ignores. To do that you will need to search for the
ignoreip parameter and add the IP address that you do not want to block. You can add a whole IP class range, or just a several IP addresses if you want. You can separate them with a blank space. By default Fail2Ban is configured not to ban any traffic coming from the local machine only, how ever you can add additional addresses to ignore by appending them to the end of the parameter, separated by a blank space. So the line should look like:
ignoreip = 127.0.0.1/8 000.000.000.000 22.214.171.124
Next is the
bantime parameter. This parameter sets the length of the time frame that a client will be banned if for some reason they failed to log in or tried to authenticate incorrectly. This is measured in seconds. And as you can see by default this parameter is set to 600 seconds, or 10 minutes.
bantime = 600
The next parameters that follows and you may want to pay attention are the
findtime parameter and the
maxretry parameter. These work together to establish the rules under which a client is found to be an illegitimate user that should be banned. The first one
maxretry is used to set how many times a client can try to authenticate within a window of time defined by the
findtime parameter, before being banned. By default Fail2Ban will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.
findtime = 600 maxretry = 3
If you wish to configure email alerts the next interesting and useful settings that you may want to see are the
sendername, and the
mta parameters. The
destemail parameter defines the email address that should receive ban messages. The
sendername parameter sets the value of the “From” field in the email and the
mta parameter configures what mail service will be used to send mail.
destemail = [email protected] sendername = Fail2Ban mta = sendmail
so in this example we are sending an email to “[email protected]” from “Fail2Ban” as a sender and we are using “sendmail” to send that email.
action parameter configures what action Fail2Ban will need to take when it wants to institute a ban. The
valueaction_ is defined in the file shortly before this parameter. By default it is configured to simply put a blocking firewall rule to reject traffic from the offending host until the ban time elapses.
If you would like to configure email alerts, you can change the value from
action_mw. If you want the email to include the relevant log lines, you can change it to
action = $(action_)s
Next is the part of the configuration file that deals with the individual services. Each service is separately specified by the section headers, like
To enable any of them we will need to modify a particular line by adding “true” next to “enabled“:
enabled = true
By default, the SSH service is enabled and all others are disabled. But for example if we want to enable the “dropbear” service you will notice that the section looks like:
[dropbear] enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6
and as you can see next to the “enabled” line it says “false“, which means that the service is disabled. To enable it we will need to change “false” to “true” so that the section looks like:
[dropbear] enabled = true port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6
Some other interesting settings that we can set here are the
filter parameter that will be used to decide whether a line in a log indicates a failed authentication and the
logpath parameter which tells Fail2Ban where the logs for that particular service are located. The
filter value is actually a kind of link to an actual file located in the “/etc/fail2ban/filter.d” directory. This file contains the regular expressions that determine whether a line in the log is bad.
REAL TIME EXAMPLE
Now that we have the basic picture and idea behind Fail2Ban let’s do some basic setup and example. We’re going to configure an auto-banning policy for SSH and Apache and setup Fail2Ban to send us an email when an IP is banned.
Before start with anything lest’s install the software that we will use in the example:
apt-get update apt-get install apache2 sendmail iptables-persistent
Once the installation is done we will implement a default basic firewall rules. We will tell the firewall to allow established connections, all the traffic generated by the server itself and the traffic destined for our SSH and web server ports. We will drop all other traffic. To start with the setup type the following commands:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -j DROP
To see the current firewall state just type:
Next we will adjust the Fail2Ban configuration. To do that open the Fail2Ban configuration file:
and under the default heading, change the
bantime parameter to ban the clients for 15 minutes:
bantime = 900
We also want to configure an email alert notification. To do that find the
destemail parameter and enter the email address where you want to use to receive these messages:
destemail = [email protected]_domain.com
In the next step we will set the
action parameter to one of the actions that sends us the warning email. There are two choice. The first one is the
action_mw parameter which institutes the ban and then send us an email with a “whois” report on the offending host, and the seccond one
action_mwl which does the same as
action_mw , but also goes more deep and send us the relevant log lines too.
Today we are going to use
action_mwl because the log lines are those who will help us troubleshoot and see more information about the issues. So find the section that says:
action = %(action_)s
And replace it with:
action = %(action_mwl)s
If we want to set the number of unsuccessful SSH login attempts that should be allowed before a ban is established, we will need to edit the
Next, search for the “apache” section, it should be located under “HTTP servers” and change the
enabled parameter to “true“. By default the section looks like:
[apache] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
and after the change should look like:
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6
Save and close the file, and restart the Fail2Ban service for the changes to take effects:
service fail2ban restart
Once the Fail2Ban service is restarted you can check the new firewall rules by typing:
and you will see:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-apache -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j DROP -A fail2ban-apache -j RETURN -A fail2ban-ssh -j RETURN
The lines in red are the rules created by the Fail2Ban polices.
If you’re one of our Linux VPS Hosting customers we can help you to install and configure Fail2Ban on your virtual server for you free of charge. Just contact us and some of our experts will complete your request immediately.