How to Install Fail2Ban on Ubuntu 24.04, 22.04 or 20.04

Fail2Ban is a crucial security tool for protecting Linux systems against brute-force attacks. It works by monitoring log files for suspicious activity, such as repeated failed login attempts, and automatically bans the offending IP addresses by updating firewall rules. Fail2Ban is highly configurable, allowing administrators to define custom filters, ban times, and actions, making it an essential component for maintaining server security.

On Ubuntu 24.04, 22.04, or 20.04, Fail2Ban can be easily installed via the Ubuntu default repository. This method ensures a straightforward installation process, with Fail2Ban integrated into your system, providing a reliable defense against unauthorized access attempts. This guide will walk you through the installation process using the command-line terminal.

Update Ubuntu Before Fail2ban Installation

Before starting the installation process, you must update your system to ensure a smooth installation and avoid potential conflicts. To do this, run the following command in your terminal:

sudo apt update && sudo apt upgrade

Install Fail2ban via Terminal Command

Fail2Ban is available in Ubuntu’s default repository, simplifying the installation process. Execute the following command to begin the installation:

sudo apt install fail2ban 

Enable and Activate Fail2ban

By default, Fail2Ban is not enabled or activated after installation. To start the service and enable it to run on system boot, use the following command:

sudo systemctl enable fail2ban --now

Verify Fail2Ban Service Status

Once you have successfully installed Fail2Ban, checking its service status is essential. Upon installation, the Fail2Ban service should be enabled and started by default.

Run the following command to verify the status:

sudo systemctl status fail2ban

Fail2ban Backup Settings

After installing Fail2Ban, setting up and configuring it to suit your server environment is important. Fail2Ban comes with two default configuration files located at /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

To preserve your custom settings, create copies of the configuration files with the .local extension. Fail2Ban will prioritize reading .local files over .conf files. By creating .local files, you ensure that your settings are not lost during updates, and you’ll always have a fresh copy to revert to in case of misconfiguration.

Execute the following command to create a copy of the jail.conf file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now you have a backup of your original configuration file, and you can safely customize Fail2Ban settings by editing the jail.local file without worrying about losing your modifications during future updates.

Example Rundown: Configure Fail2ban

Now, we will run down how to edit the configuration file after you create a backup of the original configuration file. These examples and discussion are just examples in the jail.local and will need to be customized and tested to your system requirements.

Edit Fail2ban Configuration File

To edit the jail.local file using the nano editor, run the following command:

sudo nano /etc/fail2ban/jail.local

Ban Time Increments with Fail2ban

Enable the Ban Time Increment setting to increase the ban duration for repeat offenders. For example, if the default ban time is one hour, you can increase it to five hours after five repeated bans.

To do this, you need to set a multiplier for the ban increase logic.

Example:

## Ban Time Multipliers
# bantime.increment = true
# bantime.factor = 2
# bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor

Whitelist IPs in Fail2ban

To whitelist specific IP addresses, uncomment the ignoreip line and add the desired IP addresses, separated by spaces or commas. IP ranges can also be whitelisted.

Example:

ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)

Default Ban Time Setup

By default, Fail2Ban bans an attacker for 10 minutes after five failed attempts within a 10-minute window. You can adjust these default settings, but it’s recommended to set custom ban times and retry limits for different jails.

Example:

[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

E-Mail Alerts/Notifications with Fail2ban

Configure Fail2Ban to send email notifications with whois reports to a specified email address. You can also set up different reporting options, such as sending emails to blacklist providers or the attacker’s ISP.

Example:

destemail = admin@example.com
sender = fail2ban@example.com

Fail2ban Jails

Jails contain pre-defined filters and actions for various server applications. You can enable, disable, or customize jails based on your server’s needs.

To enable a jail, add “enabled = true” in the corresponding jail section.

Example:

[apache-badbots]
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

You can also add custom Fail2ban jails or use actions from the action.d directory by updating the banaction line in the jail section.

Example:

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
            cloudflare
bantime = 72h
maxretry = 1

Once you’ve finished configuring Fail2Ban, restart the service to apply your changes:

sudo systemctl restart fail2ban

Ban or Unban via Fail2Ban Commands

Once Fail2Ban is configured, the most common Fail2ban commands you may need to use will be the ban or unban command. You can manage IP bans using the fail2ban-client command. You may need sudo privileges, depending on your setup.

Ban an IP address via Fail2ban CLI Command

To ban an IP address manually for a specific jail (e.g., apache-botsearch), use the following command:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address via Fail2ban CLI Command

To unban an IP address for a specific jail (e.g., apache-botsearch), use the following command:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Accessing the Help Menu

To access the help menu and view additional settings or commands, use the following command:

sudo fail2ban-client -h 

Additional Fail2ban Command Examples

Check the status of a specific jail:

sudo fail2ban-client status apache-botsearch

Reload the configuration without restarting the Fail2Ban service:

sudo fail2ban-client reload

Check the list of currently banned IP addresses for a specific jail:

sudo fail2ban-client get apache-botsearch banned

Set a custom ban time for a specific IP address in a jail:

sudo fail2ban-client set apache-botsearch bantime <time_in_seconds> --banip <ip_address>

These commands provide the tools to manage IP bans using Fail2Ban effectively. Remember to replace with the actual IP address you want to ban or unban, and replace apache-botsearch with the appropriate jail name based on your configuration.

Check or Monitor Fail2Ban Logs

It’s crucial to monitor and review Fail2Ban logs to ensure your jails are functioning correctly. By default, Fail2Ban logs can be found at /var/log/fail2ban.log.

Monitor Logs in Real-Time For Fail2ban

To watch the logs live and spot any issues while working on your server, use the “tail -f” command:

tail -f /var/log/fail2ban.log

This command allows you to monitor log changes in real-time.

Search Logs for Specific Fail2ban Information

You can also use the grep command to search for specific information within the logs, such as IP addresses, user agents, or errors.

User-Agent Example:

grep "Bing" /var/log/fail2ban.log

Error Example:

grep "error" /var/log/fail2ban.log

IP address Example:

grep "123.123.123.1" /var/log/fail2ban.log

These examples demonstrate various ways to filter and search your logs using terminal commands. Reviewing your Fail2Ban logs will help maintain your server’s security and ensure your jails work as intended.

Additional Learning: Remove Fail2Ban

In case you decide to remove Fail2Ban from your system, you can easily uninstall it by following these steps:

Deactivate Fail2Ban Service

If the Fail2Ban service is still active, you need to disable it first:

sudo systemctl disable fail2ban --now

This command will disable the Fail2Ban service and stop it from running.

Remove Fail2Ban

After disabling the service, you can uninstall Fail2Ban using the following command:

sudo apt remove fail2ban

This command will remove Fail2Ban along with its system dependencies and associated data.

Conclusion

With Fail2Ban installed on your Ubuntu system, you enhance your server’s security by automatically mitigating brute-force attacks and other suspicious activities. Installing Fail2Ban via the Ubuntu default repository ensures a quick and stable setup, with access to regular updates provided by the Ubuntu community. Regularly reviewing and updating your Fail2Ban configurations will help maintain optimal protection for your server, ensuring that your system remains secure and resilient against potential threats.

Leave a Comment