Install and configure fail2ban on ubuntu server
Protect Your Server from Brute-Force Attacks with Fail2ban (Ubuntu server 22:04)
Introduction
Fail2ban is a Python-based program that scans log files and bans IP addresses that cause too many failed login attempts. It supports many standard log files, such as sshd and Apache, and can be easily configured to read any log file of your choosing. Fail2ban is an open-source intrusion prevention software framework that is designed to prevent brute-force attacks . It is written in Python and can run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper .
The purpose of Fail2ban is to protect your Linux server from brute-force attacks. It does this by monitoring log files like /var/log/auth.log and banning IP addresses that conduct too many failed login attempts . This helps to prevent unauthorized access to your server and keep it secure.
How Fail2ban works :
how Fail2ban works to protect services on a Linux server ?
- Fail2ban is designed to monitor the logs of common services to spot patterns in authentication failures.
- When Fail2ban is configured to monitor the logs of a service, it looks at a filter that has been configured specific to that service.
- The filter is designed to identify authentication failures for that specific service through the use of complex regular expressions.
- Regular expressions are a common templating language used for pattern matching. It defines these regular expression patterns into an internal variable called failregex.
- By default, Fail2ban includes filter files for common services.
- When a log from any service, like a web server, matches the failregex in its filter, a predefined action is executed for that service.
For example, if Fail2ban is configured to monitor the logs of the SSH service, it will look for authentication failures in the /var/log/auth.
log file. If it detects a certain number of failed login attempts from the same IP address within a specified time period, it will automatically add a temporary firewall rule to block further access from that IP address. This helps to prevent brute-force attacks and unauthorized access to your server.
How to install Fail2ban:
In this lab we will use ubuntu server 22:04 as OS then we will install Fail2ban to secure services in this server.
step1 - install Fail2ban :
update the server then start the installation :
1
2
sudo apt update
sudo apt install fail2ban
Fail2ban will start installation automatically in background after the complet installation start the following command to check the fail2ban services
1
systemctl status fail2ban.service
step2 - configure Fail2ban :
access to the fail2ban folder and create a copy of the file jail.conf
1
2
3
cd /etc/fail2ban
sudo cp jail.conf jail.local
sudo nano jail.local
Ignore the local IP Addresses and set the bantime to to 600 min:
1
2
ignoreip = 127.0.0.1/8
bantime = 600
Set the Ban Action to the default firewall in Linux UFW :
1
2
[DEFAULT]
banaction = ufw
Specify the email addresses for sending notifications to sysadmin:
1
2
3
[DEFAULT]
destemail = admin@example.com
sender = fail2ban@example.com
Configure parameters related to log rotation. This example sets the maximum number of retries to 3, the findtime (time window to look for retries) to 600 seconds.
1
2
3
[DEFAULT]
maxretry = 3
findtime = 600
Enable Jails for ssh:
1
2
[sshd]
enabled = true
Enable or disable specific jails based on your needs. In this example, the SSH jail is enabled (enabled = true). Adjust Jail Parameters:
1
2
3
4
5
6
[sshd]
enabled = true
port = ssh
filter = my-custom-filter
logpath = /var/log/auth.log
maxretry = 5
demo :
In this demo, we will attempt to simulate a brute-force attack on the SSH service of the Ubuntu server by trying a password three times
Then the fail2ban block this ip address
To display the blocked address try this command in the server
1
sudo fail2ban-client status sshd
To unban the blocked address
1
sudo fail2ban-client unban 192.168.66.1
Example Configurations for Fail2Ban Custom Filters
To create your own filters, read this article.