Linux

How to Install and Configure fail2ban on Your Server

What is fail2ban? Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. In this guide, you...

· >
How to secure your servers from brute force attacks using fail2ban

What is fail2ban?

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. In this guide, you learn how to install & configure Fail2ban to secure your Ubuntu server.

Fail2ban is focuses on SSH attacks, however it can be further configured to work for any service that uses log files and can be subject to a compromise. Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed.

In this article we shall learn to install and configure fail2ban on Ubuntu / Debian, Fedora & CentOS server to protect from wild attacks from internet.

Requirements & Cautions

You need

  • SSH access to your server rather it would be CentOS, fedora or Ubuntu / Debian
  • Root access to server or a user with sudo privileges
  • Use fail2ban with other firewalls like UFW / firewalld and should not be used as replacement of already installed firewalls.

Install Fail2ban on Ubuntu / Debian

The Fail2ban package is included in the default Ubuntu 20.04 repositories. Update your Ubuntu Server Repositories:

apt update && apt upgrade -y

Install Fail2ban:

Upon installation fail2ban service automatically starts, there is no need of manual start.

apt-get install fail2ban -y

Install Sendmail (Optional Step):

apt-get install sendmail

Please note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.

Install Fail2ban on Fedora


Update your Fedora Server Repositories:

dnf update

Install Fail2ban:

dnf install fail2ban

Install Sendmail (Optional Step):

dnf install sendmail

Start and enable fail2ban / sendmail:

systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmail

Please note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.

Install Fail2ban on CentOS


Update your CentOS Server Repositories:

yum install epel-release && yum update -y 

Install Fail2ban:

yum install fail2ban

Install Sendmail (Optional Step):

yum install sendmail

Start and enable fail2ban / sendmail:

systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmail

Please note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.

ALSO READ

How to Configure Fail2ban

Before jumping to configuration part, we need to understand that how fail2ban reads configuration files. The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.

Fail2ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.

Configure fail2ban.local

fail2ban.conf contains default configuration settings, for quick start we can copy configuration from this file to our local file so that we do not need to build local file from scratch.

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Moreover we need to perform same step with our jail.conf file

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open up jail.local file in your favorite text editor, to get an understanding about its inside ingredients.

Whitelist IP Addresses

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. Here you should add your local PC IP address and all other machines that you want to whitelist.

Uncomment the line starting with ignoreip and add your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 12.12.12.12 

Ban Settings

The values of bantimefindtime, and maxretry options define the ban time and ban conditions.

“bantime” is the number of seconds that a host is banned. A host is banned if it has generated “maxretry” during the last “findtime” seconds. “maxretry” is the number of failures before a host get banned.

“backend” specifies the backend used to get files modification. Available options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”. This option can be overridden in each jail as well. bydefault backend is set to auto

bantime  = 10m
findtime = 10m
maxretry = 3
backend  = systemd

Email Notifications Using Sendmail

Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action in jail.conf file, You can also adjust the sending and receiving email addresses:

To receive email when fail2ban is triggered, adjust the email settings:

  • destemail: The email address where you would like to receive the emails.
  • sendername: The name under which the email shows up.
  • sender: The email address from which Fail2ban sends emails.
destemail = support@techacad.net
sender = root@techacad.net

Fail2ban Jails

Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.

Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.

By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:

Fail2ban Client

Fail2ban client is a tool which is used to check ban status and interact with fail2ban service. So to check current sshd jail status.

sudo fail2ban-client status sshd

to find more details about the tool you can use -h parameter to get all available commands.

fail2ban-client -h

Conclusion

In this article we have learnt how to install and configure fail2ban on Ubuntu / Debian, Fedora & CentOS Distributions. I hope this has been informative for you and would like to thank you for viewing.

close

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

Leave a Reply

Your email address will not be published. Required fields are marked *