Ubuntu – fail2ban

Installing fail2ban is simple. Log into your Ubuntu Server and update/upgrade. Do note that should the kernel be upgraded in this process, the server will have to be rebooted (so run this at a time when a reboot is viable). To update and upgrade the server, issue the following commands:

sudo apt-get update
sudo apt-get upgrade

Once the above commands complete, reboot the server (if necessary).

Installing fail2ban can be done with a single command:

sudo apt-get install -y fail2ban

When that command finishes, fail2ban is ready to go. You’ll want to start and enable the service with the commands:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configuring a jail

Next we’re going to configure a jail for SSH login attempts. In the /etc/fail2ban directory, you’ll find the jail.conf file. Do not edit this file. Instead, we’ll create a new file, jail.local, which will override any similar settings in jail.conf. Our new jail configuration will monitor /var/log/auth.log, use the fail2ban sshd filter, set the SSH port to 22, and set the maximum retry to 3. To do this, issue the command:

sudo nano /etc/fail2ban/jail.local

In this new file, paste the following contents:

enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Save and close that file. Restart fail2ban with the command:

sudo systemctl restart fail2ban

At this point, if anyone attempts to log into your Ubuntu Server via SSH, and fails three times, they will be prevented from entry, by way of iptables blocking their IP Address.

Testing and unbanning

You can test to make sure the new jail works by failing three attempts at logging into the server, via ssh. After the third failed attempt, the connection will hang. Hit [Ctrl]+[c] to escape and then attempt to SSH back into the server. You should no longer be able to SSH into that server from the IP address you were using.

You can then unban your test IP address with the following command:

sudo fail2ban-client set sshd unbanip IP_ADDRESS

where IP_ADDRESS is the banned IP Address.

You should now be able to log back into the server with SSH.

Scratching the surface

This barely scratches the surface as to what fail2ban can do. But now you have a good idea on how to use the system. To find out more, make sure to read the man page with the command:

man fail2ban

That manual page provides a good overview of what fail2ban can do.


Similar Posts