Fail2ban is one of the first things you should install on your new Linux server deployments. Once deployed, fail2ban works to prevent malicious and brute force login attacks and can be used to monitor protocols such as HTTP, SSH and FTP.
If fail2ban detects a malicious login attempt, it will automatically block the offending IP address, so whoever is attempting the attack will be prevented from gaining access.
I’m going to walk you through the process of installing fail2ban on the latest release of Ubuntu Server (22.04, also known as Jammy Jellyfish).
SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)
What you’ll need
The only things you’ll need to get fail2ban up and running are an instance of Ubuntu Server 22.04 and a user with sudo privileges.
That’s it: Let’s get that server secured.
How to install fail2ban
The installation of fail2ban is incredibly simple. Log into your Ubuntu Server instance and issue the command:
sudo apt-get install fail2ban -y
Start and enable the fail2ban service with:
sudo systemctl enable --now fail2ban
If you’re running the UFW firewall – and you should be – then you might need to allow SSH traffic into the server with the command:
sudo ufw allow ssh
How to configure fail2ban
Fail2ban depends on a few different files and directories, which are:
- fail2ban.conf – the main configuration file
- jail.conf – a sample jail configuration
- action.d – contains various fail2ban actions configurations for things like mail and firewall
- jail.d – contains additional fail2ban jail configurations
We’re going to create a new file, jail.local, and configure fail2ban to prevent malicious SSH logins.
Create the new file with:
sudo nano /etc/fail2ban/jail.local
In that file, paste the following contents:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1
Here’s the description of the above:
- enabled – enables the jail
- port – the port fail2ban will listen for
- filter – the built-in filter fail2ban will use
- logpath – the directory hosing the fail2ban log
- maxretry – the number of failed attempts allowed before an IP is blocked
- findtime – the amount of time between failed login attempts
- bantime – number of seconds an IP address is banned for
- ignoreip – an IP address that is to be ignored by fail2ban
Save and close the file.
Restart fail2ban with:
sudo systemctl restart fail2ban
How to test fail2ban
Log into another machine and attempt an SSH login to the server housing fail2ban. Make sure to type the password incorrectly 3 times.
After the third attempt, SSH will lock up on you and you must use the CTRL + C key combination to return you to the prompt. If you attempt another SSH login, you’ll be presented with a Connection refused error.
How to unban an IP address
After testing, you might want to unban the IP address you used. Make sure you have a banned IP with the command:
sudo fail2ban-client status sshd
You should see something like the following listed:
Status for the jail: sshd
| |- Currently failed: 0
| |- Total failed: 3
| `- File list: /var/log/auth.log
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.40
To unban IP address 192.168.1.40, you’d issue the command:
sudo fail2ban-client set sshd unbanip 192.168.1.40
You should see the number one printed out, because that’s how many IP addresses you just unbanned.
You can also manually ban an IP with the command:
sudo fail2ban-client set sshd banip 192.168.1.40
Congratulations, you’ve successfully installed and configured fail2ban to block unwanted SSH logins to your Ubuntu Server instance.
Interested in Ubuntu? Check out The Mastering Linux Development Bundle from TechRepublic Academy.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.