How to Install Fail2ban on Ubuntu 20.04

Fail2ban will help protect your server from malicious attacks from bad bots and hackers. Fail2ban is an intrusion prevention framework that protects servers from brute-force attacks, bans bad user agents, URL scanners and much more. It does this by reading access and error logs of your server and applications.

Install Fail2ban

We will start by making sure we are updated.

$ sudo apt-get update && sudo apt-get upgrade -y

Now we will install Fail2ban:

$ sudo apt install fail2ban -y

Once it has completed, let's check to see if it is running:

$ sudo systemctl status fail2ban

We should see something like the following output:

fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-01-19 15:46:02 UTC; 9s ago
       Docs: man:fail2ban(1)
   Main PID: 9713 (f2b/server)
      Tasks: 5 (limit: 9490)
     Memory: 12.8M
     CGroup: /system.slice/fail2ban.service
             └─9713 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Jan 19 15:46:02 www systemd[1]: Starting Fail2Ban Service...
Jan 19 15:46:02 www systemd[1]: Started Fail2Ban Service.
Jan 19 15:46:02 www fail2ban-server[9713]: Server ready

Next we will make sure it starts automatically whenever our server boots:

$ sudo systemctl start fail2ban && sudo systemctl enable fail2ban

Keep in mind that if you ever need to stop the service, you can use systemctl stop fail2ban and if you want to completely disable it, you can use systemctl disable fail2ban

Configuring Fail2ban

Now we can do some setup and configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. Do not modify these files because they can be replaced by Fail2ban updates. Instead, we need to make our own confifuration files that end with .local. Fail2ban will not update these, and whenever it reads config files, the .local files take precedence over the .conf files.

So let's copy our default configuration file to a .local file:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we will configure the file we just created:

$ sudo nano /etc/fail2ban/jail.local
Bantime Increment

When the threshold for failures is met, an ip is banned from making further attempts. But assume you set the ban time to 5 minutes, the potential attcker could try every 5 minutes. Because of this, we can increment the ban time for anyone that gets repeatedly banned with a multiplier for each time they are flagged as banned. To do so, find this line in the file:

#bantime.increment = true

and uncomment it:

bantime.increment = true

Now find this line:

#bantime.multipliers = 1 2 4 8 16 32 64

and uncomment it:

bantime.multipliers = 1 2 4 8 16 32 64

In this case, if the bantime wis longer with each failed attempt after a ban is lifted. This helps stop some of the smarter bots out there.

Whitelist IPs

If you have a static IP number, you mauy wish to whitelist your IP so that it is never subject to Fail2ban jails.

Find this line:

#ignoreip = 127.0.0.1/8 ::1

and uncomment it and add your IP number (where 000.000.000.000 should be replaced with your IP:

ignoreip = 127.0.0.1/8 ::1 000.000.000.000

If you want to whitelist multiple IP numbers, just separate them with a space.

Default Ban Time

By default, Fail2ban will allow 5 failed attempts within 10 a 10 minute period before an IP is banned. It is then banned for 10 minutes. You can change this default by editing the following lines:

bantime  = 10m
findtime  = 10m
maxretry = 5

findtime is the block of time during which the maximum retries are allowed. In other words, if you make 4 attempts within 10 minutes, and then make another attempt on the eleventh minute, you would not be banned, because you made 5 attempts within 11 minutes, not 10. But if you make 5 attempts within any 10 minute period, you get banned. You can set these however you like. you are more secure with higher bantime and lower findtime and maxretry times. Here is a suggested setting that is pretty secure:

bantime  = 60m
findtime  = 5m
maxretry = 5

In this case, you get banned for 60 minutes if you make 5 failed attempts within a 5 minute period.

Jails

There are different Jail settings for different services. Here are some examples to change:

[sshd]

Add the following just under [SSHD]

enabled   = true
bantime = 1h

and make the following changes as well:

[dropbear]

Add

enabled = true

[selinux-ssh]

Add

enabled = true

[apache-badbots]

Add

enabled = true

[apache-noscript]

Add

enabled = true
bantime = 1d
maxretry = 3

Finally add

enabled = true

to the following sections.

[apache-overflows]

[apache-botsearch]

[apache-fakegooglebot]

Note: Go through the rest of the config and see if there are other services you need to protect. In these examples, we are focusing on SSH and the Apache2 webserver.

Now save the file by hitting [CTRL-X] then Y, then [ENTER]

Finally, restart Fail2ban to get it all up and running:

$ sudo systemctl restart fail2ban

Fail2ban Commands to Know:

Ban an IP address:

$ sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

$ sudo fail2ban-client set apache-botsearch unbanip <ip address>

Get Help on Using Fail2ban:

$ sudo fail2ban-client -h 

View the Fail2ban log live:

$ sudo tail -f /var/log/fail2ban.log




Blog Comments powered by Disqus.