If you’re looking to secure your Ubuntu Server, one of the first things you should do is install the fail2ban intrusion detection system. What fail2ban does is monitor specific log files (in /var/log) for failed login attempts or automated attacks on your server. When an attempted compromise is discovered from an IP address, fail2ban then blocks the IP address (by adding a new chain to iptables) from gaining entry (or attempting to further attack) the server.

Believe it or not, fail2ban is so easy to install and use, it should be considered a no-brainer for all Linux servers.

I want to walk you through the process of installing fail2ban on Ubuntu Server 18.04. I’ll then show you how to add a jail to monitor for failed SSH login attempts.

SEE: Intrusion detection policy (Tech Pro Research)

Installation

Installing fail2ban is simple. Log into your Ubuntu Server and update/upgrade. Do note that should the kernel be upgraded in this process, the server will have to be rebooted (so run this at a time when a reboot is viable). To update and upgrade the server, issue the following commands:

sudo apt-get update
sudo apt-get upgrade

Once the above commands complete, reboot the server (if necessary).

Installing fail2ban can be done with a single command:

sudo apt-get install -y fail2ban

When that command finishes, fail2ban is ready to go. You’ll want to start and enable the service with the commands:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configuring a jail

Next we’re going to configure a jail for SSH login attempts. In the /etc/fail2ban directory, you’ll find the jail.conf file. Do not edit this file. Instead, we’ll create a new file, jail.local, which will override any similar settings in jail.conf. Our new jail configuration will monitor /var/log/auth.log, use the fail2ban sshd filter, set the SSH port to 22, and set the maximum retry to 3. To do this, issue the command:

sudo nano /etc/fail2ban/jail.local

In this new file, paste the following contents:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Save and close that file. Restart fail2ban with the command:

sudo systemctl restart fail2ban

At this point, if anyone attempts to log into your Ubuntu Server via SSH, and fails three times, they will be prevented from entry, by way of iptables blocking their IP Address.

Testing and unbanning

You can test to make sure the new jail works by failing three attempts at logging into the server, via ssh. After the third failed attempt, the connection will hang. Hit [Ctrl]+[c] to escape and then attempt to SSH back into the server. You should no longer be able to SSH into that server from the IP address you were using.

You can then unban your test IP address with the following command:

sudo fail2ban-client set sshd unbanip IP_ADDRESS

where IP_ADDRESS is the banned IP Address.

You should now be able to log back into the server with SSH.

Scratching the surface

This barely scratches the surface as to what fail2ban can do. But now you have a good idea on how to use the system. To find out more, make sure to read the man page with the command:

man fail2ban

That manual page provides a good overview of what fail2ban can do.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday