Step 3: Installing fail2ban

Overview

This tutorial describes how to install and configure the fail2ban service on a Linux machine to prevent brute force attacks against your web servers.  Following the steps in this tutorial, you will be able to prevent some of the most common types of hacking attempts against any of your home computers you have opened up to the internet.

This tutorial is intended for people with minimal knowledge of computer networks and Linux.  You should know how to start the linux terminal on your server machines. The instructions in this tutorial will cover all of the commands you must use and the files you must edit for a basic configuration. More detailed information can be found on the fail2ban.org website.

In this tutorial, you will learn:

  • How to install the fail2ban software on your linux machine.
  • How to configure fail2ban to protect SSH login attempts.
  • How to install exim4 mail server on your linux machine (this step is only required if you want fail2ban to send you email notifications).

This tutorial is written for a Debian based Linux (such as Ubuntu or Mint). For other types of Linux, you will have to adapt some of the install instructions.

Installing fail2ban

The fail2ban application is a service that runs on your Linux machine to prevent common hacking attacks. Fail2ban works by monitoring the log files of different activities on your computer, and then taking action when a suspicious activity is detected. The default action is to ban the attacking address for some period of time by inserting rules in the firewall iptables. You can also configure fail2ban to send you email notifications when attackers have been banned.

  1. Log into a terminal on the server machine. Activate root user:
$ sudo -i
  1. Install the fail2ban software
$ sudo apt-get install fail2ban

Fail2ban can be customized to protect any service that writes activity to a log file. The default installation comes pre-configured ready to work with several standard Linux services such as SSH and apache web server. In this example, we will enable fail2ban to protect SSH logins. 

You can edit the package configuration jail.conf file directly, but this will be overwritten when you update the package. The recommended way to configure fail2ban is to create a file called jail.local, and set your configuration in there. Anything in jail.local will override the defaults in jail.conf.

  1. Edit or create the local fail2ban jail file with your favorite text editor
$ nano /etc/fail2ban/jail.local
  1. At the top of the file add the following text to create a default section:
[DEFAULT]
# Ban hosts for this many seconds (one day):
bantime = 86400
# ignore local host 
ignoreip = 127.0.0.0
# find time default
findtime  = 120s
# destination email address for notifications
destemail = someAddress@someDomain.com
# sender email address for notifications
sender = someAddress@someDomain.com
sendername = Fail2ban
mta = mail
#default ban action plus send mail
action = %(action_mwl)s
  1. Now we will create a jail for the ssh service.  You can copy and paste jail definitions from the package jail.conf file. Add this jail to your jail.local to protect ssh connections:
[sshd]
#enable this jail
enabled = true
# port for your ssh - you should not be using default on public server
port = 22
# filter file to use
filter = sshd
# path to the log file to apply the filter
logpath = /var/log/auth.log
# max retry before getting banned
maxretry = 3
  1. Save the file and exit the text editor.
  1. Restart fail2ban for the change to take effect.
$ service fail2ban restart
  1. Check the configuration:
$ fail2ban-client status sshd

It should output something like:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 1
   `- Banned IP list:
  1. To test the configuration, try logging into SSH three times with the wrong password.  After your fourth attempt, you will find that your connection attempts are refused.
  1. To unban an IP address, issue the following command:
$ fail2ban-client set sshd unbanip 11.12.13.14

Monitoring fail2ban Activity

You can check the status of a jail any time with the command:

$ fail2ban-client status <jailname>

You can check the fail2ban logs at any time:

$ sudo nano /var/log/fail2ban.log

Fail2Ban works by applying a Regex filter to the specified log file.  The filter definitions are in /etc/fail2ban/filter.d.  You can manually check the results of the fail2ban filter by running the regular expression filter on the log file.  For example, to check the ssh jail activity:

$ fail2ban-regex /var/log/auth.log  etc/fail2ban/filter.d/sshd.conf

References and Additional Reading