What is Fail2ban?
Fail2ban is an open-source security tool for protecting your servers against unauthorized access and brute force attack.
It was written with Python, works by scanning log files for brute force login attempts in real-time and then block the source IP address using the Linux firewall.
The Fail2ban is a security tool that designed to protect various services, including the SSH, FTP, OpenVPN, Apache, phpMyAdmin, etc.
What we will do?
In this tutorial, you will learn how to install and configure fail2ban on Ubuntu 20.04 Server. You will learn how to secure the SSH and FTP services using the fail2ban and learn about the fail2ban-client command.
Prerequisites
For this tutorial, make sure you have got a Ubuntu 20.04 server with root privileges.
Before going any further, log in to your Ubuntu server and type the sudo command to get the root privileges on your system.
sudo su
Step 1 – Install Fail2ban on Ubuntu 20.04
First, we will install fail2ban from the official Ubuntu repository. The fail2ban packages are available by default on the Ubuntu universe repository.
Enable the Ubuntu universe repository using the following command.
add-apt-repository universe
After that, install fail2ban packages using the apt command below.
apt install fail2ban
Once the installation is complete, start the fail2ban service and add it to the system boot.
systemctl start fail2ban
systemctl enable fail2ban
As a result, you’ve successfully installed the fail2ban to the Ubuntu 18.04 system.
Step 2 – Configure Fail2ban
The configuration directory of fail2ban located at the /etc/fail2ban directory. To configure the fail2ban, you need to copy the default configuration jail.conf to jail.local
Copy the default fail2ban configuration jail.conf to jail.local using the cp command below.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now edit the configuration jail.local using vim editor.
vim /etc/fail2ban/jail.local
– Basic Configuration
On the
[DEFAULT] section, change everything as you need as below. [DEFAULT] # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host that matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 10.5.5.1/24 # "bantime" is the number of seconds that a host is banned. bantime = 60m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 5m # "maxretry" is the number of failures before a host gets banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config backend=systemd
Save and close.
- ignoreip – Type your IP address, CIDR masks, or DNS hosts that will not be ban by the Fail2ban.
- bantime – Time that hosts will be banned by Fail2ban from accessing the server.
- findtime – This option determines which hosts will be ban or not. If the host generated ‘maxretry’ in the last of ‘findtime’, the IP will be banned.
- maxretry – max number of failures before the IP address gets banned.
- backend – specific the backend services, the Ubuntu 20.04 used a systemd as the backend.
– Set up SSH Jail for Securing SSH Service
By default, the SSH jail is enabled on the Debian-based system. The default configuration are located at the /etc/fail2ban/jail.d/ directory.
Now go to the /etc/fail2ban/jail.d/ directory and edit the default configuration defaults-debian.conf.
cd /etc/fail2ban/jail.d/ vim defaults-debian.conf
Add additional configuration below into it.
... maxretry = 3 ...
Save and close.
As a result, you’ve changed the ‘maxretry‘ configuration to ‘3‘ of the default SSH jail.
– Create Jail for Securing FTP Service
Now create a new jail for securing the vsftd service.
On the /etc/fail2ban/jail.d/ directory, create a new configuration vsftpd.conf.
vim vsftpd.conf
Paste the following configuration into it.
[vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s maxretry = 5 bantime = 60m
Save and close.
As a result, you’ve created a new Fail2ban jail for securing the vsftpd service.
– Restart Fail2Ban
Now restart the fail2ban service using the command below.
systemctl restart fail2ban
As a result, the jail for SSH and FTP services has been applied to fail2ban. And every failed login that reaches the ‘maxretry‘ on the ‘findtime‘ will be blocked by the fail2ban.
Step 3 – Fail2Ban-client Command
In this step, you will learn how to check the fail2ban status using the fail2ban-client command line.
With the fail2ban-client command, you can activate jails, check banned IP address, unban an IP address, etc.
– Check Activated Jails
To check of activated jails on fail2ban, run the command below.
fail2ban-client status
As a result, you get the sshd and vsftpd jails activated on your installation.
– Check Banned IP on Specific Jail
To check banned IP addresses on the specific jail, you can use the command below.
fail2ban-client status [JAIL-NAME]
An example, checking the list of IP addresses on the sshd jail.
fail2ban-client status sshd
As a result, you will get the list of IP addressed that have been banned by fail2ban on the sshd jail.
– Unban IP Fail2Ban
To unban an IP address, use the following command.
fail2ban-client set [JAIL-NAME] unbanip [IP-ADDRESS]
Unban an IP address from the sshd jail.
fail2ban-client set sshd unbanip xxx.xxxx.xxxx.xxxx
As a result, you’ve successfully unbanned the IP address from the sshd jail.
Step 4 – Other Useful Command for Checking Fail2Ban
Below is some other useful command for checking the fail2ban on the Ubuntu server.
– Checking IPtables Rules
As the fail2ban service is running, the new iptables rules will be generated when the fail2ban blocked/banned IP addresses.
You can check iptables rules using the command below.
iptables -L
As a result, two chains of iptables rules for SSH and FTP services have been created.
– Checking Fail2ban Log
By default, the fail2ban service will log every information about its services and activities to the /var/log/fail2ban.log.
Check the fail2ban log using the tail command below.
tail -f /var/log/fail2ban.log
As a result, you will get pieces of information about fail2ban activities.
Finally, you’ve successfully installed the fail2ban on the Ubuntu 20.04 system.
And you’ve created two jails for securing SSH and vsftpd services, you’ve learned the fail2ban-client basic command.
Also, you’ve learned other commands for checking firewall rules generated by the fail2ban and checking the fail2ban log.