In this tutorial, we'll explain how to install and configure Fail2Ban on Ubuntu 24.04.
Fail2Ban is a powerful, open-source intrusion prevention software framework designed to protect your server from brute-force attacks. It works by monitoring log files for suspicious activity and automatically taking action to ban IP addresses that exhibit patterns of malicious behavior.
Fail2Ban is highly configurable and can be used to protect various services, including SSH, FTP, web servers, and more.
Key Features of Fail2Ban
Log Monitoring: Fail2Ban scans log files for specific patterns of failed login attempts and other suspicious activities. This allows it to identify and respond to potential security threats in real-time.
Automated IP Banning: When a predefined number of failed login attempts or malicious activities are detected, Fail2Ban can automatically ban the offending IP address by updating firewall rules (e.g., iptables). This helps prevent further attacks from the same source.
Configurable Jails: Fail2Ban uses a concept called "jails" to define which services to protect and how to handle suspicious activities. Each jail includes settings for monitoring specific log files, defining the number of allowed failures, and specifying the ban duration.
Customizable Actions: In addition to banning IP addresses, Fail2Ban can be configured to perform various actions, such as sending email notifications, executing custom scripts, or reporting incidents to security monitoring systems.
Extensible and Flexible: Fail2Ban comes with preconfigured jails for common services, but it is also highly extensible. Users can create custom jails and actions to suit their specific needs and security policies.
Protection for Multiple Services: Fail2Ban supports a wide range of services, including SSH, Apache, Nginx, MySQL, FTP, and more. This makes it a versatile tool for securing different aspects of a server's infrastructure.
Ban Time and Incremental Banning: Fail2Ban allows you to configure the duration of bans and can incrementally increase the ban time for repeated offenses, providing a more robust defense against persistent attackers.
Install and Configure Fail2Ban on Ubuntu
Step 1: Install Fail2Ban
First, update your package list:
sudo apt update
Then, install Fail2Ban:
sudo apt install fail2ban
Step 2: Basic Configuration
The main configuration file for Fail2Ban is /etc/fail2ban/jail.conf, but it’s recommended to create a local copy to avoid overwriting changes during updates. Create a copy of the configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the local configuration file for editing:
sudo nano /etc/fail2ban/jail.local
Step 3: Configuring Jails
Jails are the rules that define which log files to monitor and what actions to take. The default jail.local file contains a number of predefined jails for common services. You can enable and configure these as needed.
For SSH protection, ensure the [sshd] jail is enabled and properly configured. Find [sshd] in the file and it should look like:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
- enabled: Set to true to enable the jail.
- port: The port Fail2Ban will monitor (default is ssh).
- logpath: The path to the log file (default is %sshd_log%).
- maxretry: Number of failed attempts before banning the IP.
Step 4: Setting Ban Times and Intervals
In the [DEFAULT] section, you can configure the global settings for ban times and find times:
[DEFAULT]
# Ban time in seconds (e.g., 3600s = 1 hour)
bantime = 1h
# Ban time increment for repeated offenses
bantime.increment = true
bantime.factor = 1.5
bantime.rndtime = 10m
# Find time in seconds (e.g., 600s = 10 minutes)
findtime = 10m
# Max number of retries before banning
maxretry = 5
# Email notifications
destemail = your-email@example.com
sender = fail2ban@example.com
mta = sendmail
action = %(action_mwl)s
Step 5: Configuring Jails for Common Services
Here are some examples of jails for various services:
SSH
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
HTTP/HTTPS (Nginx)
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
Apache
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/*error.log
maxretry = 3
FTP (vsftpd)
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = /var/log/vsftpd.log
maxretry = 5
MySQL
[mysqld-auth]
enabled = true
port = 3306
logpath = /var/log/mysql/error.log
maxretry = 5
Postfix
[postfix]
enabled = true
port = smtp,ssmtp
logpath = /var/log/mail.log
maxretry = 3
Dovecot
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
logpath = /var/log/mail.log
maxretry = 5
Step 6: Custom Actions
Fail2Ban allows you to create custom actions. For example, you can create a custom action to ban an IP using iptables and send an email notification:
Create a custom action file:
sudo nano /etc/fail2ban/action.d/iptables-multiport-email.conf
Add the following content to the file:
[Definition]
actionstart = <iptables configuration for start>
actionstop = <iptables configuration for stop>
actioncheck = <iptables configuration for check>
actionban = <iptables configuration for ban>
actionunban = <iptables configuration for unban>
[Init]
mail-sender = fail2ban@example.com
mail-dest = your-email@example.com
Reference this custom action in your jail.local:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
action = iptables-multiport-email
Step 7: Email Notifications
You can configure Fail2Ban to send email notifications whenever an IP is banned. In the [DEFAULT] section, configure the mail settings:
destemail = your-email@example.com
sender = fail2ban@example.com
action = %(action_mwl)s
destemail: The email address to send notifications to.
sender: The email address Fail2Ban will use to send notifications.
action: The action to take when banning an IP. %(action_mwl)s sends an email with the log details.
Step 8: Restart Fail2Ban
After configuring the jails and settings, restart the Fail2Ban service to apply the changes:
sudo systemctl restart fail2ban
Ensure Fail2Ban is enabled to start at boot:
sudo systemctl enable fail2ban
Step 9: Monitoring Fail2Ban
You can monitor Fail2Ban's activity using the following commands:
Check the status of Fail2Ban:
sudo fail2ban-client status
Check the status of a specific jail (e.g., sshd):
sudo fail2ban-client status sshd
Conclusion
In this tutorial, we've seen how to install Fail2Ban on Ubuntu 24.04 server to protect against brute-force attacks. You can further customize jails for other services and fine-tune the settings to match your security needs. Regularly monitor the banned IPs and adjust the configuration as necessary to ensure optimal protection.
High performance dedicated servers and KVM VPS
