Install and Configure Fail2ban on Ubuntu 20.04

Fail2ban is an open-source security framework written in Python that protects servers against brute force attacks. It scans log files and bans IP addresses that conduct unsuccessful login attempts. It works by updating the firewall to reject new connections from those IP addresses for a configurable period of time.

By default, Fail2ban uses Iptables and its possible to use with other firewalls. Fail2ban support for both IPv4 and IPv6.

Fail2ban by default configured to monitor SSH login attempts and can monitor other log files such as for Apache, vsftpd, and Postfix, etc.

In this tutorial, I will walk you through how to install and configure fail2ban on Ubuntu 20.04.

Install Fail2ban on Ubuntu

To get started, open your terminal and update the package lists.

$ sudo apt update

Fail2Ban is already packaged with most Linux distributions. To install fail2ban using the APT package manager, run:

$ sudo apt install fail2ban
Install fail2ban
Install FAil2ban

Once installed, verify if it is running by:

$ sudo systemctl status fail2ban

From the output, we can see that fail2ban service is active and running as expected.

Check fail2ban status

To check fail2ban process running, type:

$ sudo ps -efww | egrep fail2ban

Output:

root     1310843       1  0 11:17 ?        00:00:02 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Great. Let's have an overview of the configuration files associated with Fail2ban and how to tweak the settings to either blacklist or whitelist IP addresses.

Overview of configuration files

Fail2ban's configuration files are located in the /etc/fail2ban directory as shown.

Fail2ban configuration files
Fail2ban configuration files

The main configuration files are /etc/fail2ban/jail.conf  and /etc/fail2ban/jail.d/defaults-debian.conf

Whatever you do, it is not recommendable to modify these files as there is a high chance of them being overwritten when the fail2ban package is updated.

As a workaround, the recommended way to configure Fail2ban is to create a copy of the jail.conf file to jail.local and later define your own settings. You do not have to include all the settings from the jail.conf file, only those that you wish to override.

So, let us first create the jail.local configuration file as follows.

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, using your favorite text editor, open the file. Here, I am using the vim editor.

$ sudo vim /etc/fail2ban/jail.local

Whitelisting IP addresses

Using the ignoreip directive, you can exclude the IP addresses, range of IPs, or an entire subnet from being banned. It is here that you add the IP addresses of the remote machines that you want to whitelist or allow access in simple terms. Multiple IPs can be added using space or commas.

For example, to whitelist the IP addresses 192.168.2.50 , 192.168.2.100 add the entries as follows.

Ban settings

Ban settings

The ban conditions are defined by the following parameters:

  1. bantime
  2. findtime
  3. maxretry

bantime - This is the period during which an IP address is banned or denied access from attempting to reconnect with the server. By default, this is set to 10 min, but feel free to set it according to your preference.

findtime - This is the duration between failed login attempts before a ban is implemented. This is set to 10min. What this means is that if you are attempting an SSH login and the failures reach the maxtry value within a period of 10 minutes, then the IP you are connecting from will be banned.

maxretry - This represents the maximum number of failed connection attempts before an IP is banned. B default, this is set to 5 seconds which should be okay, but I'd prefer 3 seconds to minimize being bombarded with connection attempts.

Email notifications

Fail2ban possesses the ability to send email alerts once an IP address has been banned. To send and receive emails, you need to have an SMTP server installed and configured. To use the email notification feature, add the line below

action = %(action_mw)s

The parameter %(action_mw)s bans the suspicious IP address and sends an email to the admin with a detailed whois report. To include log messages, set the parameter to %(action_mwl)s.

Additional define the sending email address as well as the recipient.

Fail2ban jails

Fail2ban modus operandi uses the concept of jails. That is, if the offending IP address unsuccessfully tries to login or access a service, it is placed in a 'jail' and cannot initiate a connection until the bantime elapses.

A jail, in simple terms, is a service with filters and actions. Fail2ban looks at the log entries and once matching log entries are identified and conditions met, the actions are implemented.

SSH jail is usually enabled by default to put a leash on rogue SSH connections from suspicious IP addresses. To enable a jail for another service, simply add the enabled = true attribute after the jail heading. You can also provide ban settings as we saw earlier on.

Fail2ban client

Fail2ban provides a command-line tool for interacting with Fail2ban known as fail2ban-client. You can perform a myriad of tasks including banning and unbanning IP addresses.

To check the status of Fail2ban and see whether there are any banned IP or violated filters, run the command:

$ sudo fail2ban-client status sshd

The output below confirms the presence of a banned or blacklisted IP address after failed SSH login attempts. The IP address is currently in the SSH jail.

Check status of ban
Check status of ban

You can also filter fail2ban.log file to list all banned IP address:

$ sudo zgrep 'Ban' /var/log/fail2ban.log*

Output:

2021-04-29 11:17:55,081 fail2ban.actions        [1310843]: NOTICE  [sshd] Ban 117.221.69.37
2021-04-29 11:17:55,123 fail2ban.actions        [1310843]: NOTICE  [sshd] Ban 49.233.251.133
2021-04-29 11:17:55,131 fail2ban.actions        [1310843]: NOTICE  [sshd] Ban 106.52.93.202
2021-04-29 11:17:55,139 fail2ban.actions        [1310843]: NOTICE  [sshd] Ban 222.187.232.205
2021-04-29 11:17:55,147 fail2ban.actions        [1310843]: NOTICE  [sshd] Ban 222.187.239.107

To unban the blacklisted IP address run the command:

$ sudo fail2ban-client set sshd unbanip 192.168.2.102

Now verify the status of Fail2ban again, and this time, the banned IP no longer registers.

Fail2ban unban IP
Fail2ban unban IP

To ban an IP addresses, type:

$ sudo fail2ban-client set sshd banip 192.168.2.102

For more command-line options, run the command:

$ fail2ban-client -h
Fail2ban command options
Fail2ban command options

Conclusion

Keep in mind that Fail2ban is not a substitute for firewalls and other security measures used for protecting your system. It's simply an added layer of security that gives your server an extra layer of protection against brute force attacks especially from automated bots and scripts. This concludes this tutorial on how to install and configure Fail2ban on Ubuntu 20.04.

Leave a Comment