Protect a server with Fail2Ban

Fail2Ban Overview

Fail2Ban is a useful tool that analyses server log files for recurring patterns of failures. This allows to block IP’s trying to run bruteforce attacks against a server.

In this Tutorial you will learn how to configure the service on an Ubuntu Bionic server to protect the SSH service. Fail2Ban can be used with all services generating log files.

Requirements:

• You have an account and are logged into console.scaleway.com
• You have an Ubuntu Bionic server
• You have configured your SSH Key
• You have sudo privileges or access to the root user.

Installing Fail2Ban

1 . The required packages are available in the repositories of Ubuntu and can be installed with apt:

sudo apt-get install fail2ban postfix

2 . Choose Internet Site when asked for the configuration:

3 . Once the installation has completed, open the file /etc/aliases and add the following line:

root: me@mydomain.tld

Make sure to replace me@mydomain.tld with your actual email address.

Note: To receive notifications by email, it is required that the email ports are unlocked.

Configuring Fail2Ban

1 . Start by copying the configuration file:

cd /etc/fail2ban && sudo cp jail.conf jail.local

The file jail.conf contains the default parameters. If a file jail.local is available, it will have priority over jail.conf if parameters are modified.

2 . Edit the file /etc/fail2ban/jail.local with your preferred editor.

Following the parameters which should be modified:

ignoreip = 127.0.0.1/8 By default the IPs of localhost are ignored, self-banning would not be very useful. It is possible to exclude other IPs from being banned.

bantime = 600 The duration of an ban. By default it is set to 10 Minutes. The value has to be specified in seconds and it is recommended to set it at least to one hour, or one day.

findtime = 600 The timespan which will be considered for maxretry. If you want for example to ban somebody who made more than 3 malicious attempts during the last hour or, as here, in the last 10 minutes.

maxretry = 3 Amount of attempts before being banned.

destemail = root@localhost The recipient of the mail. As an alias for root has been set during the installation, this value can be left as it is.

sendername = Fail2Ban The name of the sender of the mail.

action = %(action_)s This defines the action to execute when a limit is reached. By default it will only block the user.

To receive an email at each ban, set it to:

action = %(action_mw)

To receive the logs with the mail, set it to:

action = %(action_mwl)

Further down in the configuration file it comes to the “Jails”. These are configurable blocks per service to filter logs and ban in cases where patterns are matched.

As minimum it is recommend to activate the jail ssh as follows:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log

Note: If your SSH daemon is listening on multiple ports or on a different port, you have to modify the line port with the correct parameters: Here an example: port = ssh,1234 Fail2Ban analyses the logs and will ban the users who made several intrusion attempts on ports 22 (SSH by default) & 1234.

3 . Save the file once you have edited it.

Fail2Ban uses filters, pre-made configuration files indicating what to parse in a log.

They can be found in /etc/fail2ban/filter.d. You can create your own filters in case you have need to.

4 . Restart the service to take the actions into effect:

sudo service fail2ban restart

The service will now analyze the connetions made to the SSH service. The logs of Fail2Ban are located in the file var/log/fail2ban.log.