What is fail2ban?
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. In this guide, you learn how to install & configure Fail2ban to secure your Ubuntu server.
Fail2ban is focuses on SSH attacks, however it can be further configured to work for any service that uses log files and can be subject to a compromise. Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed.
In this article we shall learn to install and configure fail2ban on Ubuntu / Debian, Fedora & CentOS server to protect from wild attacks from internet.
Table of contents
Requirements & Cautions
You need
- SSH access to your server rather it would be CentOS, fedora or Ubuntu / Debian
- Root access to server or a user with sudo privileges
- Use fail2ban with other firewalls like UFW / firewalld and should not be used as replacement of already installed firewalls.
Install Fail2ban on Ubuntu / Debian
The Fail2ban package is included in the default Ubuntu 20.04 repositories. Update your Ubuntu Server Repositories:
apt update && apt upgrade -yInstall Fail2ban:
Upon installation fail2ban service automatically starts, there is no need of manual start.
apt-get install fail2ban -yInstall Sendmail (Optional Step):
apt-get install sendmailPlease note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.
Install Fail2ban on Fedora
Update your Fedora Server Repositories:
dnf updateInstall Fail2ban:
dnf install fail2banInstall Sendmail (Optional Step):
dnf install sendmailStart and enable fail2ban / sendmail:
systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmailPlease note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.
Install Fail2ban on CentOS
Update your CentOS Server Repositories:
yum install epel-release && yum update -y Install Fail2ban:
yum install fail2banInstall Sendmail (Optional Step):
yum install sendmailStart and enable fail2ban / sendmail:
systemctl start fail2ban
systemctl enable fail2ban
systemctl start sendmail
systemctl enable sendmailPlease note that sendmail installation is optional if you need email support, it is not mandatory requirement for fail2ban installation.
ALSO READ
How to Configure Fail2ban
Before jumping to configuration part, we need to understand that how fail2ban reads configuration files. The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.
Fail2ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.
Configure fail2ban.local
fail2ban.conf contains default configuration settings, for quick start we can copy configuration from this file to our local file so that we do not need to build local file from scratch.
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.localMoreover we need to perform same step with our jail.conf file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow open up jail.local file in your favorite text editor, to get an understanding about its inside ingredients.
Whitelist IP Addresses
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. Here you should add your local PC IP address and all other machines that you want to whitelist.
Uncomment the line starting with ignoreip and add your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 12.12.12.12
Ban Settings
The values of bantime, findtime, and maxretry options define the ban time and ban conditions.
“bantime” is the number of seconds that a host is banned. A host is banned if it has generated “maxretry” during the last “findtime” seconds. “maxretry” is the number of failures before a host get banned.
“backend” specifies the backend used to get files modification. Available options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”. This option can be overridden in each jail as well. bydefault backend is set to auto
bantime = 10m
findtime = 10m
maxretry = 3
backend = systemd
Email Notifications Using Sendmail
Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action in jail.conf file, You can also adjust the sending and receiving email addresses:
To receive email when fail2ban is triggered, adjust the email settings:
destemail: The email address where you would like to receive the emails.sendername: The name under which the email shows up.sender: The email address from which Fail2ban sends emails.
destemail = [email protected]
sender = [email protected]Fail2ban Jails
Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.
By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:
Fail2ban Client
Fail2ban client is a tool which is used to check ban status and interact with fail2ban service. So to check current sshd jail status.
sudo fail2ban-client status sshdto find more details about the tool you can use -h parameter to get all available commands.
fail2ban-client -hConclusion
In this article we have learnt how to install and configure fail2ban on Ubuntu / Debian, Fedora & CentOS Distributions. I hope this has been informative for you and would like to thank you for viewing.
