Protecting a server with Fail2Ban
Fail2Ban is a useful tool that analyses server log files for recurring patterns of failures. This allows to block IP’s trying to run brute force attacks against a server.
In this Tutorial you will learn how to configure the service on an Ubuntu Bionic server to protect the SSH service. Fail2Ban can be used with all services generating log files.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- The required packages are available in the repositories of Ubuntu and can be installed with
apt:sudo apt-get install fail2ban postfix
Internet Sitewhen asked for the configuration:
- Once the installation has completed, open the file
/etc/aliasesand add the following line:root: email@example.com
Make sure to replace
firstname.lastname@example.org with your actual email address.
To receive notifications by email, it is required that the email ports are unlocked.
- Start by copying the configuration file:
cd /etc/fail2ban && sudo cp jail.conf jail.local
jail.conf contains the default parameters. If a file
jail.local is available, it will have priority over
jail.conf if parameters are modified.
2. Edit the file
/etc/fail2ban/jail.local with your preferred editor.
Following the parameters which should be modified:
ignoreip = 127.0.0.1/8By default the IPs of localhost are ignored, self-banning would not be very useful. It is possible to exclude other IPs from being banned.
bantime = 600The duration of an ban. By default it is set to 10 Minutes. The value has to be specified in seconds and it is recommended to set it at least to one hour, or one day.
findtime = 600The timespan which will be considered for maxretry. If you want for example to ban somebody who made more than 3 malicious attempts during the last hour or, as here, in the last 10 minutes.
maxretry = 3Amount of attempts before being banned.
destemail = root@localhostThe recipient of the mail. As an alias for root has been set during the installation, this value can be left as it is.
sendername = Fail2BanThe name of the sender of the mail.
action = %(action_)sThis defines the action to execute when a limit is reached. By default it will only block the user.
To receive an email at each ban, set it to:
action = %(action_mw)
To receive the logs with the mail, set it to:
action = %(action_mwl)
Further down in the configuration file it comes to the “Jails”. These are configurable blocks per service to filter logs and ban in cases where patterns are matched. As a minimum, it is recommend to activate the jail ssh as follows:
[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.log
If your SSH daemon is listening on multiple ports or on a different port, you have to modify the line port with the correct parameters: For example:
port = ssh,1234
Fail2Ban analyses the logs and will ban the users who made several intrusion attempts on ports 22 (SSH by default) & 1234.
Save the file once you have edited it.
Fail2Ban uses filters, pre-made configuration files indicating what to parse in a log.
They can be found in
/etc/fail2ban/filter.d. You can create your own filters in case you have need to.
Restart the service to take the actions into effect:sudo service fail2ban restart
The service will now analyze the connections made to the SSH service. The logs of Fail2Ban are located in the file