How to install and configure Fail2Ban on your Ubuntu server

How to install and configure Fail2Ban on your Ubuntu server

In this tutorial we will show you how to install and configure Fail2Ban on your Ubuntu VPS.


WHAT IS FAIL2BAN

Fail2Ban is the most famous application that can prevents dictionary attacks on your server.

– You may ask how it is work?
Well, when Fail2Ban detects multiple failed login/attempts from the same IP address on your server, it creates temporary firewall rules that block traffic from that IP address.

Attempted logins can be monitored using many different ways, including SSH, HTTP, SMTP etc… By default, Fail2Ban monitors SSH only.


HOW TO INSTALL FAIL2BAN?

To install Fail2Ban First, you will need to log in to your VPS as ROOT via SSH. Once you are in the first thing you need to do is to downloads the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies. It will do this for all repositories and PPAs. To do that just type:

apt-get update

The next step/command will actually update all the software on your VPS. So, type:

apt-get upgrade

After that you can install Fail2Ban by entering the following command:

sudo apt-get install fail2ban

and that’s it.

The program is now installed. It will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in “/var/log/fail2ban.log“.


CONFIGURE FAIL2BAN

Once Fail2Ban is installed you can find all it’s configuration files in the ”/etc/fail2ban” directory. To enter the ”/etc/fail2ban” type:

cd /etc/fail2ban/

Once you enter the directory you will notice that there is a file called “jail.conf” which holds all the Fail2Ban configuration defaults. It is not recommended to edit this file directly because it can be modified by the package upgrades and all the changes that we do can be lost so we will need to create a copy. To do that type:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Once the file is copied, we can open/edit it and see how everything works:

nano /etc/fail2ban/jail.local

 

There are few setting in the file that you will want to adjust. It is also important to know that all the settings located under the [DEFAULT] section will be applied to all the services enabled for Fail2Ban that are not overridden in the service’s own section.

One of the many things you can adjust is the source addresses that Fail2Ban ignores. To do that you will need to search for the ignoreip parameter and add the IP address that you do not want to block. You can add a whole IP class range, or just a several IP addresses if you want. You can separate them with a blank space. By default Fail2Ban is configured not to ban any traffic coming from the local machine only, how ever you can add additional addresses to ignore by appending them to the end of the parameter, separated by a blank space. So the line should look like:

ignoreip = 127.0.0.1/8 000.000.000.000 111.111.111.111

Next is the bantime parameter. This parameter sets the length of the time frame that a client will be banned if for some reason they failed to log in or tried to authenticate incorrectly. This is measured in seconds. And as you can see by default this parameter is set to 600 seconds, or 10 minutes.

bantime = 600

The next parameters that follows and you may want to pay attention are the findtime parameter and the maxretry parameter. These work together to establish the rules under which a client is found to be an illegitimate user that should be banned. The first one maxretry is used to set how many times a client can try to authenticate within a window of time defined by the findtime parameter, before being banned. By default Fail2Ban will ban a client that unsuccessfully attempts to log in 3 times within a 10 minute window.

findtime = 600
maxretry = 3

If you wish to configure email alerts the next interesting and useful settings that you may want to see are the destemail, sendername, and the mta parameters. The destemail parameter defines the email address that should receive ban messages. The sendername parameter sets the value of the “From” field in the email and the mta parameter configures what mail service will be used to send mail.

destemail = [email protected]
sendername = Fail2Ban
mta = sendmail

so in this example we are sending an email to “[email protected]” from “Fail2Ban” as a sender and we are using “sendmail” to send that email.


This next action parameter configures what action Fail2Ban will need to take when it wants to institute a ban. The valueaction_ is defined in the file shortly before this parameter. By default it is configured to simply put a blocking firewall rule to reject traffic from the offending host until the ban time elapses.
If you would like to configure email alerts, you can change the value from action_ to action_mw. If you want the email to include the relevant log lines, you can change it to action_mwl.

action = $(action_)s

JAIL SETTINGS

Next is the part of the configuration file that deals with the individual services. Each service is separately specified by the section headers, like [SSH].

To enable any of them we will need to modify a particular line by adding “true” next to “enabled“:

enabled = true

 

By default, the SSH service is enabled and all others are disabled. But for example if we want to enable the “dropbear” service you will notice that the section looks like:

[dropbear]

enabled  = false
port     = ssh
filter   = dropbear
logpath  = /var/log/auth.log
maxretry = 6

and as you can see next to the “enabled” line it says “false“, which means that the service is disabled. To enable it we will need to change “false” to “true” so that the section looks like:

[dropbear]
enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 6

 

Some other interesting settings that we can set here are the filter parameter that will be used to decide whether a line in a log indicates a failed authentication and the logpath parameter which tells Fail2Ban where the logs for that particular service are located. The filter value is actually a kind of link to an actual file located in the “/etc/fail2ban/filter.d” directory. This file contains the regular expressions that determine whether a line in the log is bad.


REAL TIME EXAMPLE

Now that we have the basic picture and idea behind Fail2Ban let’s do some basic setup and example. We’re going to configure an auto-banning policy for SSH and Apache and setup Fail2Ban to send us an email when an IP is banned.

Before start with anything lest’s install the software that we will use in the example:

apt-get update
apt-get install apache2 sendmail iptables-persistent

Once the installation is done we will implement a default basic firewall rules. We will tell the firewall to allow established connections, all the traffic generated by the server itself and the traffic destined for our SSH and web server ports. We will drop all other traffic. To start with the setup type the following commands:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

To see the current firewall state just type:

iptables -S

 

Next we will adjust the Fail2Ban configuration. To do that open the Fail2Ban configuration file:

nano /etc/fail2ban/jail.local

and under the default heading, change the bantime parameter to ban the clients for 15 minutes:

bantime  = 900

 

We also want to configure an email alert notification. To do that find the destemail parameter and enter the email address where you want to use to receive these messages:

destemail = [email protected]_domain.com

 

In the next step we will set the action parameter to one of the actions that sends us the warning email. There are two choice. The first one is the action_mw parameter which institutes the ban and then send us an email with a “whois” report on the offending host, and the seccond one action_mwl which does the same as action_mw , but also goes more deep and send us the relevant log lines too.
Today we are going to use action_mwl because the log lines are those who will help us troubleshoot and see more information about the issues. So find the section that says:

 action = %(action_)s

And replace it with:

action = %(action_mwl)s

 

If we want to set the number of unsuccessful SSH login attempts that should be allowed before a ban is established, we will need to edit the maxretry parameter.

Next, search for the “apache” section, it should be located under “HTTP servers” and change the
enabled parameter to “true“. By default the section looks like:

[apache]

enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

and after the change should look like:

[apache]

enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

Save and close the file, and restart the Fail2Ban service for the changes to take effects:

service fail2ban restart

Once the Fail2Ban service is restarted you can check the new firewall rules by typing:

iptables -S

and you will see:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-apache
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
-A fail2ban-apache -j RETURN
-A fail2ban-ssh -j RETURN

The lines in red are the rules created by the Fail2Ban polices.


If you’re one of our Linux VPS Hosting customers we can help you to install and configure Fail2Ban on your virtual server for you free of charge. Just contact us and some of our experts will complete your request immediately.

2 thoughts on “How to install and configure Fail2Ban on your Ubuntu server

  1. Ubuntu 16.04 server and fail2ban is not realy working
    Fresh installed Ubuntu and fail2ban!
    Set up my config in /etc/fail2ban/jail.local (only things i want to change in this file). Reload / restart fail2ban… nothing changed!
    Set up /etc/fail2ban/jail.d/my.conf and activate my block settings to enabled. Reload / restart fail2ban…
    Nothing changed, all settings I made ignored.
    So… Ubuntu or fail2ban is just bugged!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>