How to install and configure Fail2ban on Ubuntu 20.04

s2 0

Any service exposed to the internet is at risk from malware attacks. For example, if you’re running a service on a publicly accessible network, attackers could use brute force attempts to log into your account.

Fail2ban is a tool that protects your Linux machine from brute force and other automated attacks by monitoring the service logs for malicious activity. It uses regular expressions to scan log files. All entries that match the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban blocks the violating IP for a certain time through the system firewall. After the blocking period has expired, the IP address will be removed from the blacklist.

This article describes how to install and configure Fail2ban on Ubuntu 20.04.

Install Fail2ban on Ubuntu

The Fail2ban package is included in the standard Ubuntu 20.04 repositories. To install it, enter the following command as root or user with sudo rights:

sudo apt updatesudo apt install fail2ban

Once the installation is complete, the Fail2ban service will start automatically. You can check this by checking the status of the service:

sudo systemctl status fail2ban

The output looks like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

That’s it. At this point, Fail2Ban is running on your Ubuntu server.

Fail2ban configuration

The standard installation of Fail2ban contains two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended that you modify these files as they may be overwritten when the package is updated.

Fail2ban reads the configuration files in the following order. Everyone .local File overwrites the settings from the .conf File:

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/*.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/*.local

For most users, the easiest way to configure Fail2ban is to use the jail.conf to jail.local and change the .local File. More advanced users can use a .local Configuration file from scratch. the .local File does not have to have all the settings from the corresponding .conf File, only the ones you want to overwrite.

A … create .local Configuration file from the default setting jail.conf File:

sudo cp /etc/fail2ban/jail.{conf,local}

To start configuring the Fail2ban server, open the jail.local File with your text editor:

sudo nano /etc/fail2ban/jail.local

The file contains comments that describe what each configuration option does. In this example we are changing the basic settings.

Whitelist IP addresses

IP addresses, IP ranges, or hosts that you want to exclude from banning can be assigned to the. to be added ignoreip Directive. This is where you should add your local PC IP address and any other machines you want to whitelist.

Uncomment the line that begins with ignoreip and add your IP addresses separated by spaces:

/etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Lock settings

The values ​​of bantime, findtime, and maxretry Options define the blocking time and the blocking conditions.

bantime is the duration for which the IP is blocked. If no suffix is ​​specified, seconds are used by default. The default is bantime The value is set to 10 minutes. In general, most users want to set a longer lockout period. Change the value according to your needs:

/etc/fail2ban/jail.local
bantime  = 1d

To permanently block the IP, use a negative number.

findtime is the time between the number of errors before a ban is issued. For example, if Fail2ban is set to send an IP after five errors (maxretry, see below), these errors must be within the findtime Duration.

/etc/fail2ban/jail.local
findtime  = 10m

maxretry is the number of errors before an IP is banned. The default is five, which should be fine for most users.

/etc/fail2ban/jail.local
maxretry = 5

Email notifications

Fail2ban can send email notifications when an IP has been banned. In order to receive e-mails, you need to have an SMTP installed on your server and change the standard action which only blocks the IP on %(action_mw)s, As shown below:

/etc/fail2ban/jail.local
action = %(action_mw)s

%(action_mw)s blocks the offending IP and sends an email with a whois report. If you want to include the relevant logs in the email, set the action to %(action_mwl)s.

You can also customize the sending and receiving email addresses:

/etc/fail2ban/jail.local
destemail = [email protected]

sender = [email protected]

Fail2ban prisons

Fail2ban uses a concept of prisons. A jail describes a service and includes filters and actions. Log entries that match the search pattern are counted, and when a predefined condition is met, the appropriate actions are taken.

Fail2ban comes with a number of prisons for different services. You can also create your own jail configurations.

By default, only the SSH jail is activated. To activate a jail you need to add it enabled = true according to the prison title. The following example shows how to activate the proftpd jail:

/etc/fail2ban/jail.local
[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The settings we discussed in the previous section can be set per jail. Here is an example:

/etc/fail2ban/jail.local
[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

The filters are located in the /etc/fail2ban/filter.d Directory saved in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.

Every time you edit a configuration file, you must restart the Fail2ban service for the changes to take effect:

sudo systemctl restart fail2ban

Fail2ban client

Fail2ban comes with a command line tool called. delivered fail2ban-client that you can use to interact with the Fail2ban service.

To display all available options, call the command with -h Opportunity:

fail2ban-client -h

With this tool you can block / unblock IP addresses, change settings, restart the service and much more. Here are some examples:

  • Check the prison status:

    sudo fail2ban-client status sshd
  • Unblock an IP:

    sudo fail2ban-client set sshd unbanip 23.34.45.56
  • Block IP:

    sudo fail2ban-client set sshd banip 23.34.45.56

diploma

We showed you how to install and configure Fail2ban on Ubuntu 20.04.

Further information on this topic can be found on the Fail2ban documentation
.

If you have any questions, feel free to leave a comment below.