Install & Configure Fail2ban to Secure Your Server

Fail2ban is an intrusion prevention framework that works by monitoring system logs for any automated attacks, authentication failures and other suspicious activity. Fail2ban automatically adds new firewall rules to iptables to block the IP address of the attacker, either for a set amount of time, …

Fail2ban is an intrusion prevention framework that works by monitoring system logs for any automated attacks, authentication failures and other suspicious activity.

Fail2ban automatically adds new firewall rules to iptables to block the IP address of the attacker, either for a set amount of time, or permanently, and can also alert you through email when it detects an attack; you can also add your own rules.

It is primarily used to prevent brute-force SSH attacks, although it can be further configured to work for any service that uses log files and can be subject to a compromise.

This tutorial on setting up Fail2ban will cover pretty much everything you need to know about configuring and managing Fail2ban on your server.

Fail2ban is extremely customizable and can be installed on pretty much any distro you want, even though I’ve used Ubuntu 20.04 in this tutorial, the commands should be similar for other distros, check the official documentation.

Step 1: Installing Fail2ban on Ubuntu

Install Fail2ban on your server using:

# Update packages
sudo apt update && apt upgrade

# Install Fai2ban
sudo apt install fail2ban

Step 2: Checking Fail2ban Status

After installation, the Fail2ban service should start automatically, you can verify it by checking the status of the service:

sudo systemctl status fail2ban

You’ll be greeted with something like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue XXXX-XX-XX XX:XX:XX UTC; 23s ago
       Docs: man:fail2ban(1)
   Main PID: 1226 (f2b/server)
      Tasks: 5 (limit: 1131)
     Memory: 15.9M
     CGroup: /system.slice/fail2ban.service
             └─1226 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

XXX XX XX:XX:XX username systemd[1]: Starting Fail2Ban Service...
XXX XX XX:XX:XX username systemd[1]: Started Fail2Ban Service.
XXX XX XX:XX:XX username fail2ban-server[1226]: Server ready

Step 3: Configuring Fail2ban

Fail2ban defines its global configuration in the fail2ban.conf file and uses the jail.conf file for defining Filters and Actions, both of these files can be found in the /etc/fail2ban/ directory.

We won’t be modifying these .conf files, instead we’ll be creating two new .local files: fail2ban.local & jail.local as the default .conf files may be overwritten when the package is updated.

Fail2ban reads .conf configuration files first, then .local files an d hence overriding any settings, which is why, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.

We’ll be now creating and configuring fail2ban.local & jail.local files.

Step 4: Configuring fail2ban.local

Alright, let’s first create the fail2ban.local file by copying the contents of fail2ban.config file:

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

We can now configure our fail2ban.local file using sudo nano fail2ban.local, here are a few options that you can change:

  • loglevel – Sets the log level output, which can be set to CRITICAL, ERRORWARNINGNOTICEINFO, or DEBUG.
  • logtarget – Sets the log target, which can be either a FILESYSLOGSTDERR, or STDOUT. Its default path is /var/log/fail2ban.log.
  • syslogsocket – Set the syslog socket file to auto or FILE (this is only used if the logtarget is set to SYSLOG)
  • socket – Sets the socket file which is used to communicate with the daemon. Make sure not to remove this file, its default path is: /var/run/fail2ban/fail2ban.sock
  • pidfile – Sets the PID file, which is used to store the process ID of the fail2ban server, its default location is: /var/run/fail2ban/fail2ban.pid

Step 5: Configuring jail.local

Now, let’s create the jail.local file by copying the contents of jail.config file to jail.local file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

We can now configure our fail2ban.local file using sudo nano jail.local, this is where most of the options are, including the “jails” explained in later section, here are a few options that you can change:

Whitelist IP Addresses

IP addresses, IP ranges, or hosts that you want to exclude from banning are added in the ignoreip section, you should add your device’s IP address here.

Uncomment the line starting with ignoreip and add your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 123.45.67.89 192.168.1.0/24

Ban Settings

The values of bantime, findtime, and maxretry options define the ban time and ban conditions.

bantime is the duration for which the IP is banned, by default, the bantime value is set to 10 minutes. Generally, most users will want to set a longer ban time, change the value accordingly:

bantime  = 12h

findtime is the duration between the number of failures before a ban is set, and IP is banned if it has generated maxretry (see below) during the last findtime, the default is set to 10 minutes, it should be fine for most people.

findtime  = 10m

maxretry is the number of failures before an IP is banned, the default value is set to five, which should be fine for most people.

maxretry = 5

Email Notifications

Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP like Sendmail installed on your server, update the email addresses for sending and receiving notifications:

# Destination email address
destemail = admin@example.com

# Sender email address
sender = root@example.com

Step 6: Configuring Fail2ban Jails

Fail2ban uses the concept of jails, a jail describes a service and includes filters and actions for that particular service; log entries matching the search pattern are counted, and if a predefined condition is met, the corresponding actions are executed.

Fail2ban already has a bunch of jails for different services int the same jail.local file, you can also create your own jail configurations, to enable a jail, you need to add enabled = true after the jail title.

To edit or create new jails, just edit the jail.local file using sudo nano jail.local, here’s an example for SSH which you find in the jail.local file:

[sshd]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1 123.5.67.89

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail.

After every edit you make in the configuration file, you need to restart the Fail2ban service for changes to take effect:

sudo systemctl restart fail2ban

Step 7: Check Jail Status

Fail2ban ships with fail2ban-client which you can use to interact with the Fail2ban service, view all activated Fail2ban jails using:

sudo fail2ban-client status

You should see an output like this if you have enabled the SSH jail:

Status
|- Number of jail:      1
`- Jail list:   sshd

You can also check status of a specific Fail2ban status by mentioning its name, here’s an example for SSH jail status:

sudo fail2ban-client status ssh

Step 8: Using the Fail2ban Client

You can use the fail2ban-client to do much more, including things like banning and unbanning IP:

# Ban an IP address
sudo fail2ban-client set sshd banip 123.45.67.89

# Unban an IP address
sudo fail2ban-client set sshd unbanip 123.45.67.89

Here’s the common fail2ban-client command structure:

fail2ban-client COMMAND
  • start: Starts the Fail2ban server and jails.
  • reload: Reloads Fail2ban’s configuration files
  • reload JAIL: Replaces JAIL with the name of a Fail2ban jail; this reloads the jail
  • stop: Terminates Fail2ban service
  • status: Shows Fail2ban status, and enable jails
  • status JAIL: Shows the status of the jail, including any currently-banned IPs

You can check all available options for fail2ban-client using fail2ban-client -h.

That’s all folks!

You now know how to have a fully configured Fail2ban on your server, even though i’ve used Ubuntu in this tutorial, almost all steps are the same for other distros, be sure to check the official Fail2ban documentation.

Leave a Comment