Fail2ban is an open-source security framework written in Python that protects servers against brute force attacks. It scans log files and bans IP addresses that conduct unsuccessful login attempts. It works by updating the firewall to reject new connections from those IP addresses for a configurable period of time.
By default, Fail2ban uses Iptables and its possible to use with other firewalls. Fail2ban support for both IPv4 and IPv6.
Fail2ban by default configured to monitor SSH login attempts and can monitor other log files such as for Apache, vsftpd, and Postfix, etc.
In this tutorial, I will walk you through how to install and configure fail2ban on Ubuntu 20.04.
Install Fail2ban on Ubuntu
To get started, open your terminal and update the package lists.
$ sudo apt update
Fail2Ban is already packaged with most Linux distributions. To install fail2ban using the APT package manager, run:
$ sudo apt install fail2ban
Once installed, verify if it is running by:
$ sudo systemctl status fail2ban
From the output, we can see that fail2ban service is active and running as expected.
To check fail2ban process running, type:
$ sudo ps -efww | egrep fail2ban
root 1310843 1 0 11:17 ? 00:00:02 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Great. Let's have an overview of the configuration files associated with Fail2ban and how to tweak the settings to either blacklist or whitelist IP addresses.
Overview of configuration files
Fail2ban's configuration files are located in the
/etc/fail2ban directory as shown.
The main configuration files are
Whatever you do, it is not recommendable to modify these files as there is a high chance of them being overwritten when the fail2ban package is updated.
As a workaround, the recommended way to configure Fail2ban is to create a copy of the
jail.conf file to
jail.local and later define your own settings. You do not have to include all the settings from the
jail.conf file, only those that you wish to override.
So, let us first create the
jail.local configuration file as follows.
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, using your favorite text editor, open the file. Here, I am using the vim editor.
$ sudo vim /etc/fail2ban/jail.local
Whitelisting IP addresses
ignoreip directive, you can exclude the IP addresses, range of IPs, or an entire subnet from being banned. It is here that you add the IP addresses of the remote machines that you want to whitelist or allow access in simple terms. Multiple IPs can be added using space or commas.
For example, to whitelist the IP addresses 192.168.2.50 , 192.168.2.100 add the entries as follows.
The ban conditions are defined by the following parameters:
bantime - This is the period during which an IP address is banned or denied access from attempting to reconnect with the server. By default, this is set to 10 min, but feel free to set it according to your preference.
findtime - This is the duration between failed login attempts before a ban is implemented. This is set to 10min. What this means is that if you are attempting an SSH login and the failures reach the maxtry value within a period of 10 minutes, then the IP you are connecting from will be banned.
maxretry - This represents the maximum number of failed connection attempts before an IP is banned. B default, this is set to 5 seconds which should be okay, but I'd prefer 3 seconds to minimize being bombarded with connection attempts.
Fail2ban possesses the ability to send email alerts once an IP address has been banned. To send and receive emails, you need to have an SMTP server installed and configured. To use the email notification feature, add the line below
action = %(action_mw)s
%(action_mw)s bans the suspicious IP address and sends an email to the admin with a detailed whois report. To include log messages, set the parameter to
Additional define the sending email address as well as the recipient.
Fail2ban modus operandi uses the concept of jails. That is, if the offending IP address unsuccessfully tries to login or access a service, it is placed in a 'jail' and cannot initiate a connection until the bantime elapses.
A jail, in simple terms, is a service with filters and actions. Fail2ban looks at the log entries and once matching log entries are identified and conditions met, the actions are implemented.
SSH jail is usually enabled by default to put a leash on rogue SSH connections from suspicious IP addresses. To enable a jail for another service, simply add the enabled = true attribute after the jail heading. You can also provide ban settings as we saw earlier on.
Fail2ban provides a command-line tool for interacting with Fail2ban known as fail2ban-client. You can perform a myriad of tasks including banning and unbanning IP addresses.
To check the status of Fail2ban and see whether there are any banned IP or violated filters, run the command:
$ sudo fail2ban-client status sshd
The output below confirms the presence of a banned or blacklisted IP address after failed SSH login attempts. The IP address is currently in the SSH jail.
You can also filter fail2ban.log file to list all banned IP address:
$ sudo zgrep 'Ban' /var/log/fail2ban.log*
2021-04-29 11:17:55,081 fail2ban.actions : NOTICE [sshd] Ban 220.127.116.11 2021-04-29 11:17:55,123 fail2ban.actions : NOTICE [sshd] Ban 18.104.22.168 2021-04-29 11:17:55,131 fail2ban.actions : NOTICE [sshd] Ban 22.214.171.124 2021-04-29 11:17:55,139 fail2ban.actions : NOTICE [sshd] Ban 126.96.36.199 2021-04-29 11:17:55,147 fail2ban.actions : NOTICE [sshd] Ban 188.8.131.52
To unban the blacklisted IP address run the command:
$ sudo fail2ban-client set sshd unbanip 192.168.2.102
Now verify the status of Fail2ban again, and this time, the banned IP no longer registers.
To ban an IP addresses, type:
$ sudo fail2ban-client set sshd banip 192.168.2.102
For more command-line options, run the command:
$ fail2ban-client -h
Keep in mind that Fail2ban is not a substitute for firewalls and other security measures used for protecting your system. It's simply an added layer of security that gives your server an extra layer of protection against brute force attacks especially from automated bots and scripts. This concludes this tutorial on how to install and configure Fail2ban on Ubuntu 20.04.