Fail2Ban is a crucial security tool for protecting Linux systems against brute-force attacks. It works by monitoring log files for suspicious activity, such as repeated failed login attempts, and automatically bans the offending IP addresses by updating firewall rules. Fail2Ban is highly configurable, allowing administrators to define custom filters, ban times, and actions, making it an essential component for maintaining server security.
On Ubuntu 24.04, 22.04, or 20.04, Fail2Ban can be easily installed via the Ubuntu default repository. This method ensures a straightforward installation process, with Fail2Ban integrated into your system, providing a reliable defense against unauthorized access attempts. This guide will walk you through the installation process using the command-line terminal.
Update Ubuntu Before Fail2ban Installation
Before starting the installation process, you must update your system to ensure a smooth installation and avoid potential conflicts. To do this, run the following command in your terminal:
sudo apt update && sudo apt upgradeInstall Fail2ban via Terminal Command
Fail2Ban is available in Ubuntu’s default repository, simplifying the installation process. Execute the following command to begin the installation:
sudo apt install fail2ban Enable and Activate Fail2ban
By default, Fail2Ban is not enabled or activated after installation. To start the service and enable it to run on system boot, use the following command:
sudo systemctl enable fail2ban --nowVerify Fail2Ban Service Status
Once you have successfully installed Fail2Ban, checking its service status is essential. Upon installation, the Fail2Ban service should be enabled and started by default.
Run the following command to verify the status:
sudo systemctl status fail2banFail2ban Backup Settings
After installing Fail2Ban, setting up and configuring it to suit your server environment is important. Fail2Ban comes with two default configuration files located at /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.
To preserve your custom settings, create copies of the configuration files with the .local extension. Fail2Ban will prioritize reading .local files over .conf files. By creating .local files, you ensure that your settings are not lost during updates, and you’ll always have a fresh copy to revert to in case of misconfiguration.
Execute the following command to create a copy of the jail.conf file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localNow you have a backup of your original configuration file, and you can safely customize Fail2Ban settings by editing the jail.local file without worrying about losing your modifications during future updates.
Example Rundown: Configure Fail2ban
Now, we will run down how to edit the configuration file after you create a backup of the original configuration file. These examples and discussion are just examples in the jail.local and will need to be customized and tested to your system requirements.
Edit Fail2ban Configuration File
To edit the jail.local file using the nano editor, run the following command:
sudo nano /etc/fail2ban/jail.localBan Time Increments with Fail2ban
Enable the Ban Time Increment setting to increase the ban duration for repeat offenders. For example, if the default ban time is one hour, you can increase it to five hours after five repeated bans.
To do this, you need to set a multiplier for the ban increase logic.
Example:
## Ban Time Multipliers
# bantime.increment = true
# bantime.factor = 2
# bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactorWhitelist IPs in Fail2ban
To whitelist specific IP addresses, uncomment the ignoreip line and add the desired IP addresses, separated by spaces or commas. IP ranges can also be whitelisted.
Example:
ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)Default Ban Time Setup
By default, Fail2Ban bans an attacker for 10 minutes after five failed attempts within a 10-minute window. You can adjust these default settings, but it’s recommended to set custom ban times and retry limits for different jails.
Example:
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 10m
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5E-Mail Alerts/Notifications with Fail2ban
Configure Fail2Ban to send email notifications with whois reports to a specified email address. You can also set up different reporting options, such as sending emails to blacklist providers or the attacker’s ISP.
Example:
destemail = admin@example.com
sender = fail2ban@example.comFail2ban Jails
Jails contain pre-defined filters and actions for various server applications. You can enable, disable, or customize jails based on your server’s needs.
To enable a jail, add “enabled = true” in the corresponding jail section.
Example:
[apache-badbots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1You can also add custom Fail2ban jails or use actions from the action.d directory by updating the banaction line in the jail section.
Example:
[apache-botsearch]
enabled = true
port = http,https
logpath = %(apache_error_log)s
banaction = action_mw
cloudflare
bantime = 72h
maxretry = 1Once you’ve finished configuring Fail2Ban, restart the service to apply your changes:
sudo systemctl restart fail2banBan or Unban via Fail2Ban Commands
Once Fail2Ban is configured, the most common Fail2ban commands you may need to use will be the ban or unban command. You can manage IP bans using the fail2ban-client command. You may need sudo privileges, depending on your setup.
Ban an IP address via Fail2ban CLI Command
To ban an IP address manually for a specific jail (e.g., apache-botsearch), use the following command:
sudo fail2ban-client set apache-botsearch banip <ip address>Unban an IP address via Fail2ban CLI Command
To unban an IP address for a specific jail (e.g., apache-botsearch), use the following command:
sudo fail2ban-client set apache-botsearch unbanip <ip address>Accessing the Help Menu
To access the help menu and view additional settings or commands, use the following command:
sudo fail2ban-client -h Additional Fail2ban Command Examples
Check the status of a specific jail:
sudo fail2ban-client status apache-botsearchReload the configuration without restarting the Fail2Ban service:
sudo fail2ban-client reloadCheck the list of currently banned IP addresses for a specific jail:
sudo fail2ban-client get apache-botsearch bannedSet a custom ban time for a specific IP address in a jail:
sudo fail2ban-client set apache-botsearch bantime <time_in_seconds> --banip <ip_address>These commands provide the tools to manage IP bans using Fail2Ban effectively. Remember to replace with the actual IP address you want to ban or unban, and replace apache-botsearch with the appropriate jail name based on your configuration.
Check or Monitor Fail2Ban Logs
It’s crucial to monitor and review Fail2Ban logs to ensure your jails are functioning correctly. By default, Fail2Ban logs can be found at /var/log/fail2ban.log.
Monitor Logs in Real-Time For Fail2ban
To watch the logs live and spot any issues while working on your server, use the “tail -f” command:
tail -f /var/log/fail2ban.logThis command allows you to monitor log changes in real-time.
Search Logs for Specific Fail2ban Information
You can also use the grep command to search for specific information within the logs, such as IP addresses, user agents, or errors.
User-Agent Example:
grep "Bing" /var/log/fail2ban.logError Example:
grep "error" /var/log/fail2ban.logIP address Example:
grep "123.123.123.1" /var/log/fail2ban.logThese examples demonstrate various ways to filter and search your logs using terminal commands. Reviewing your Fail2Ban logs will help maintain your server’s security and ensure your jails work as intended.
Additional Learning: Remove Fail2Ban
In case you decide to remove Fail2Ban from your system, you can easily uninstall it by following these steps:
Deactivate Fail2Ban Service
If the Fail2Ban service is still active, you need to disable it first:
sudo systemctl disable fail2ban --nowThis command will disable the Fail2Ban service and stop it from running.
Remove Fail2Ban
After disabling the service, you can uninstall Fail2Ban using the following command:
sudo apt remove fail2banThis command will remove Fail2Ban along with its system dependencies and associated data.
Conclusion
With Fail2Ban installed on your Ubuntu system, you enhance your server’s security by automatically mitigating brute-force attacks and other suspicious activities. Installing Fail2Ban via the Ubuntu default repository ensures a quick and stable setup, with access to regular updates provided by the Ubuntu community. Regularly reviewing and updating your Fail2Ban configurations will help maintain optimal protection for your server, ensuring that your system remains secure and resilient against potential threats.