What is Fail2ban?

Fail2ban is an open-source security tool for protecting your servers against unauthorized access and brute force attack.

It was written with Python, works by scanning log files for brute force login attempts in real-time and then block the source IP address using the Linux firewall.

The Fail2ban is a security tool that designed to protect various services, including the SSH, FTP, OpenVPN, Apache, phpMyAdmin, etc.

What we will do?

In this tutorial, you will learn how to install and configure fail2ban on Ubuntu 20.04 Server. You will learn how to secure the SSH and FTP services using the fail2ban and learn about the fail2ban-client command.

Prerequisites

For this tutorial, make sure you have got a Ubuntu 20.04 server with root privileges. 

Before going any further, log in to your Ubuntu server and type the sudo command to get the root privileges on your system.

sudo su

Step 1 – Install Fail2ban on Ubuntu 20.04

First, we will install fail2ban from the official Ubuntu repository. The fail2ban packages are available by default on the Ubuntu universe repository.

Enable the Ubuntu universe repository using the following command.

add-apt-repository universe

After that, install fail2ban packages using the apt command below.

apt install fail2ban

Once the installation is complete, start the fail2ban service and add it to the system boot.

systemctl start fail2ban
systemctl enable fail2ban

Install Fail2ban on Ubuntu 20.04

As a result, you’ve successfully installed the fail2ban to the Ubuntu 18.04 system.

Step 2 – Configure Fail2ban

The configuration directory of fail2ban located at the /etc/fail2ban  directory. To configure the fail2ban, you need to copy the default configuration jail.conf  to  jail.local

Copy the default fail2ban configuration jail.conf to jail.local using the cp command below.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit the configuration jail.local using vim editor.

vim /etc/fail2ban/jail.local

– Basic Configuration

On the 

[DEFAULT]
 section, change everything as you need as below.
[DEFAULT]


# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 10.5.5.1/24


# "bantime" is the number of seconds that a host is banned.
bantime = 60m


# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 5m


# "maxretry" is the number of failures before a host gets banned.
maxretry = 5


# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd

 

Save and close.

  • ignoreip – Type your IP address, CIDR masks, or DNS hosts that will not be ban by the Fail2ban.
  • bantime – Time that hosts will be banned by Fail2ban from accessing the server.
  • findtime – This option determines which hosts will be ban or not. If the host generated ‘maxretry’ in the last of ‘findtime’, the IP will be banned.
  • maxretry – max number of failures before the IP address gets banned.
  • backend – specific the backend services, the Ubuntu 20.04 used a systemd as the backend.

– Set up SSH Jail for Securing SSH Service

By default, the SSH jail is enabled on the Debian-based system. The default configuration are located at the /etc/fail2ban/jail.d/ directory.

Now go to the /etc/fail2ban/jail.d/ directory and edit the default configuration defaults-debian.conf.

 
cd /etc/fail2ban/jail.d/
vim defaults-debian.conf

Add additional configuration below into it.

 
...
maxretry = 3
...

 

Save and close.

As a result, you’ve changed the ‘maxretry‘ configuration to ‘3‘ of the default SSH jail.

– Create Jail for Securing FTP Service

Now create a new jail for securing the vsftd service.

On the /etc/fail2ban/jail.d/ directory, create a new configuration vsftpd.conf.

vim vsftpd.conf

 

Paste the following configuration into it.

 
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 60m

 

Save and close.

As a result, you’ve created a new Fail2ban jail for securing the vsftpd service.

– Restart Fail2Ban

Now restart the fail2ban service using the command below.

systemctl restart fail2ban

Enable Jail for SSH and FTP Services

As a result, the jail for SSH and FTP services has been applied to fail2ban. And every failed login that reaches the ‘maxretry‘ on the ‘findtime‘ will be blocked by the fail2ban.

Step 3 – Fail2Ban-client Command

In this step, you will learn how to check the fail2ban status using the fail2ban-client  command line.

With the fail2ban-client command, you can activate jails, check banned IP address, unban an IP address, etc.

– Check Activated Jails

To check of activated jails on fail2ban, run the command below.

fail2ban-client status

As a result, you get the sshd and vsftpd jails activated on your installation.

Fail2ban Check List Jails Enabled

– Check Banned IP on Specific Jail

To check banned IP addresses on the specific jail, you can use the command below.

fail2ban-client status [JAIL-NAME]

An example, checking the list of IP addresses on the sshd jail.

fail2ban-client status sshd

As a result, you will get the list of IP addressed that have been banned by fail2ban on the sshd jail.

Check Jail SSH

– Unban IP Fail2Ban

To unban an IP address, use the following command.

fail2ban-client set [JAIL-NAME] unbanip [IP-ADDRESS]

Unban an IP address from the sshd jail.

fail2ban-client set sshd unbanip xxx.xxxx.xxxx.xxxx

Fail2ban unban IP address

As a result, you’ve successfully unbanned the IP address from the sshd jail.

Step 4 – Other Useful Command for Checking Fail2Ban

Below is some other useful command for checking the fail2ban on the Ubuntu server.

– Checking IPtables Rules

As the fail2ban service is running, the new iptables rules will be generated when the fail2ban blocked/banned IP addresses.

You can check iptables rules using the command below.

iptables -L

As a result, two chains of iptables rules for SSH and FTP services have been created.

Checking IPTables rules generated by Fail2ban

– Checking Fail2ban Log

By default, the fail2ban service will log every information about its services and activities to the /var/log/fail2ban.log.

Check the fail2ban log using the tail command below.

tail -f /var/log/fail2ban.log

As a result, you will get pieces of information about fail2ban activities.

Check Log using Tail

Finally, you’ve successfully installed the fail2ban on the Ubuntu 20.04 system.

And you’ve created two jails for securing SSH and vsftpd services, you’ve learned the fail2ban-client basic command.

Also, you’ve learned other commands for checking firewall rules generated by the fail2ban and checking the fail2ban log.