Fail2Ban is an open-source tool that works as an intrusion prevention software.
If you have open ports on the Internet, attackers can use a passwords and users combinations (also known as brute-force) to attempt to break in.
Fail2Ban scans log files (/var/log/*) and use firewall rules to reject IP addresses
Table of Contents
- A linux box running Ubuntu 20.04.
- SUDO (super user) privileges.
To being, we must update the package index:
sudo apt-get update
sudo apt-get -y install fail2ban
The output should look like this:
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: whois Suggested packages: mailx monit sqlite3 The following NEW packages will be installed: fail2ban whois 0 upgraded, 2 newly installed, 0 to remove and 74 not upgraded. Need to get 419 kB of archives. After this operation, 2.291 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu focal/universe amd64 fail2ban all 0.11.1-1 [375 kB] Get:2 http://archive.ubuntu.com/ubuntu focal/main amd64 whois amd64 5.5.6 [44,7 kB] Fetched 419 kB in 2s (203 kB/s) Selecting previously unselected package fail2ban. (Reading database ... 380286 files and directories currently installed.) Preparing to unpack .../fail2ban_0.11.1-1_all.deb ... Unpacking fail2ban (0.11.1-1) ... Selecting previously unselected package whois. Preparing to unpack .../archives/whois_5.5.6_amd64.deb ... Unpacking whois (5.5.6) ... Setting up whois (5.5.6) ... Setting up fail2ban (0.11.1-1) ... Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service. Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.3) ...
At this point, you have Fail2Ban installed and running on your Ubuntu.
To verify it, you can check the status of the service:
systemctl status fail2ban
You should see something like this:
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres> Active: active (running) since Tue 2020-12-22 10:37:51 -03; 3min 41s ago Docs: man:fail2ban(1) Main PID: 52463 (f2b/server) Tasks: 5 (limit: 9403) Memory: 13.8M CGroup: /system.slice/fail2ban.service └─52463 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
The default configuration files of Fail2ban are in the
/etc/fail2ban directory. We will edit the following configuration file:
First, we will make a local copy of that file, (so we can go back or refer to it if something goes wrong):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
We need to edit the jail.local file with our preferred editor (we will use NANO):
sudo nano /etc/fail2ban/jail.local
Ignore IP Addresses
Uncomment (delete the hashtag in the beginning) the line starting with “ignoreip”.
Here you can add as many IP addresses, IP ranges or hosts that you want to exclude from banning. You should add your local LAN and yourself (127.0.0.1).
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24
In this part, we have a lot of settings, but we should focus on bantime, findtime, and maxretry options.
bantime – is the time that the IP gets banned. Example for one week (you can use a negative number to set it forever):
bantime = 1w
findtime – is the time it takes, between failures, before ban the IP. Example for one day:
findtime = 1d
maxretry – is the number of how much failures are allowed. Example:
maxretry = 5
If you have a mail server configured in your box, you can setup this value to receive mails notifications when an IP gets banned:
destemail = [email protected]
A jail is what identifies a service (SSH, FTP,Postfix, etc). In the config file, you will see a lot of jails pre-configured for different services.
Only the ssh jail is enabled by default. To enable a jail, you need to add after the Jail title:
enabled = true
For example, to enable fail2ban for Postfix:
[postfix] enabled = true mode = more port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s
At this point you can enable all the Jails that you need.
Once configured, you need to restart Fail2Ban service:
sudo systemctl restart fail2ban
Interacting with the Fail2Ban service
Like any other service, you can interact with
Stop Fail2Ban Service:
sudo systemct stop fail2ban
Start Fail2Ban Service:
sudo systemctl start fail2ban
Enable Fail2Ban on boot:
sudo systemctl enable fail2ban
Disable Fail2Ban on boot:
sudo systemctl disable fail2ban
There is a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.
Check active Jails:
sudo fail2ban-client status
Check statistics (Currently failed, total failed, currently banned, total banned, banned IP list) for a specific Jail:
sudo fail2ban-client status sshd
You should see something like:
Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Unban an IP address
sudo fail2ban-client unban 22.214.171.124
We can also unban all IP address at once:
sudo fail2ban-client uban – all
Ban an IP address
sudo fail2ban-client ban 126.96.36.199
Activate a rule (use its name from the configuration file)
sudo fail2ban-client add postfix
Start a rule
fail2ban-client start postfix
Stop a rule:
fail2ban-client stop postfix
Well done! You have installed and configured the most common options of Fail2Ban.
If you have any issues then contact us and we’ll try to help as soon as we can.