Skip to navigationSkip to main contentSkip to footerScaleway Docs
Log inSign up

Protecting a server with Fail2Ban

security
Fail2Ban
brute-force

Fail2Ban is a useful tool that analyses server log files for recurring patterns of failures. This allows blocking IPs trying to run brute force attacks against a server.

In this tutorial, you will learn how to configure the service on an Ubuntu Bionic server to protect the SSH service. Fail2Ban can be used with all services generating log files.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Ubuntu Bionic Instance
  • sudo privileges or access to the root user

Installing Fail2Ban

  1. The required packages are available in the repositories of Ubuntu and can be installed with apt: 
    sudo apt-get install fail2ban postfix
  2. Choose Internet Site when asked for the configuration:
  3. Once the installation has completed, open the file /etc/aliases and add the following line: 
    root: me@mydomain.tld

Make sure to replace me@mydomain.tld with your actual email address.

Tip

To receive notifications by email, it is required that the email ports are unlocked.

Configuring Fail2Ban

  1. Start by copying the configuration file: 
    cd /etc/fail2ban && sudo cp jail.conf jail.local

The file jail.conf contains the default parameters. If a file jail.local is available, it will have priority over jail.conf if parameters are modified. 2. Edit the file /etc/fail2ban/jail.local with your preferred editor.

Following are the parameters which should be modified:

  • ignoreip = 127.0.0.1/8 - By default the IPs of localhost are ignored, self-banning would not be very useful. It is possible to exclude other IPs from being banned.

  • bantime = 600 - The duration of a ban. By default, it is set to 10 Minutes. The value has to be specified in seconds and it is recommended to set it at least to one hour, or one day.

  • findtime = 600 - The timespan which will be considered for maxretry. If you want for example to ban somebody who made more than 3 malicious attempts during the last hour or, as here, in the last 10 minutes.

  • maxretry = 3 - Amount of attempts before being banned.

  • destemail = root@localhost - The recipient of the mail. As an alias for root has been set during the installation, this value can be left as it is.

  • sendername = Fail2Ban - The name of the sender of the mail.

  • action = %(action_)s - This defines the action to execute when a limit is reached. By default, it will only block the user.

    To receive an email at each ban, set it to:

    • action = %(action_mw)

    To receive the logs with the mail, set it to:

    • action = %(action_mwl)

Further down in the configuration file, it comes to the “Jails”. These are configurable blocks per service to filter logs and ban in cases where patterns are matched. As a minimum, it is recommended to activate the jail ssh as follows:

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
Tip

If your SSH daemon is listening on multiple ports or a different port, you have to modify the line port with the correct parameters: For example:

port = ssh,1234

Fail2Ban analyses the logs and will ban the users who made several intrusion attempts on ports 22 (SSH by default) & 1234.

  1. Save the file once you have edited it.

    Fail2Ban uses filters, pre-made configuration files indicating what to parse in a log.

    They can be found in /etc/fail2ban/filter.d. You can create your own filters in case you need to.

  2. Restart the service to take the actions into effect:

    sudo service fail2ban restart

The service will now analyze the connections made to the SSH service. The logs of Fail2Ban are located in the file var/log/fail2ban.log.

Questions?

Visit our Help Center and find the answers to your most frequent questions.

Visit Help Center
No Results