Fail2Ban: Installation and Configuration

Fail2Ban is a nice tool to monitor access attempts and if a specified threshold reaches it will block access for the IP that failed to authenticate within that threshold.

Fail2Ban is a great start to block off unwanted access attempts and in this article I am going to show how to install it and configure it for the SSH Server, how to check the status and how to remove falsely banned IP addresses. I expect that you already have a running Ubuntu Server if not you can read here on how to install Ubuntu Server. Let’s get started! 🙂

Fail2Ban
Fail2Ban Logo

Fail2Ban: Installation

Before we installed Fail2Ban as usual one should check for system updates. Do this with the following commands:

sudo apt update
sudo apt -y upgrade
sudo apt -y dist-upgrade

Now that this is out of the way issue the following command to install Fail2Ban

sudo install -y fail2ban

It is now installed and in the next step lets make sure this service starts up automatically when the system is rebooting and start it up right now as well.

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

This is it for the installation part and now we are going to configure fail2ban to monitor SSH access attempts and set the desired threshold and go over some of the configuration.

Fail2Ban: Configuration

Before we make any changes lets backup the original config file. Issue the following command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open up /etc/fail2ban/jail.local with your desired editor. I’ll use vim.

sudo vim /etc/fail2ban/jail.local

Before anything will be configured lets add a couple of IP addresses from computers with a static IP address to ensure they will never be blocked and you don’t log yourself out. Look for the line that starts with ignoreip it should look like this:

ignoreip = 127.0.0.1/8

Add your IP addresses for unblocked access. It should look something like the following:

ignoreip = 127.0.0.1/8 192.168.55.67 192.168.13.4

!!! Remark: You can also add an entire subnet to the ignoreip directive by using the following notation 192.168.1.0/24 which ignores all IP’s from 192.168.1.1 to 192.168.1.254 from being blocked but be careful with this and only add subnets if absolutely necessary.

In the next step a jail for SSHD will be created. A jail file needs to be created for each service that should be monitored to blacklist unauthorized login attempts. Lets create an empty file to start with and then add the directives to monitor ssh and block/blacklist IP with more than 5 failed login attempts.

sudo touch /etc/fail2ban/jail.d/ssh.conf

Now enter the following to that newly created file:

[sshd]
enabled = true
port = ssh
action = iptables-multiport
logpath = /var/log/secure
maxretry = 5
bantime = 86400

Save and close this file. Here are some quick comments to the settings:

  • enable = true
    • it either enables or disables this jail. Possible options are true or false
  • port = ssh
    • specifies the port fail2ban is monitoring ssh is equals to 22 check /etc/services for port number associated with names
  • action = iptables-multiport
    • specifies the type of action and for most parts that is fine but additional actions can be specified
  • logpath = /var/log/auth.log
    • the log file path is different on other Linux distributions and this is the correct one for Ubuntu Server. Fail2Ban monitors this logfile for SSH login attempts.
  • maxretry = 5
    • this specifies how many time you let someone try to login and fail before fail2ban blacklists its IP address
  • bantime = 86400
    • this specifies for how log you like to blacklist an IP. The time is specified in seconds. Here are a few examples: 3600 = 1 Hour, 86400 = 1 Day, 604800 = 1 Week and -1 is indefinitely.

!!! I recommend to read for more the manual pages for example man jail.conf or man fail2ban this should get you started for more. You can also visit their website here.

Safe the file and lets restart fail2ban service.

sudo systemctl restart fail2ban

Work with Fail2Ban

Here are a few things that can help you by working with fail2ban.

  • sudo fail2ban-client status
    • The command above displays a general status report for fail2ban and should look like the following:
      Status
      |- Number of jail: 1
      `- Jail list: sshd
  • sudo fail2ban status sshd
    • The command above displays a specific report in this case for sshd and looks like:
      Status for the jail: sshd
      |- Filter
      | |- Currently failed: 9
      | |- Total failed: 89561
      | - File list: /var/log/auth.log – Actions
      |- Currently banned: 3
      |- Total banned: 13323
      `- Banned IP list: 192.241.139.236 124.126.18.130 122.205.143.89
  • sudo fail2ban-client set sshd unbanip 122.205.143.89
    • The command above lets you remove a banned IP address from the list
  • sudo fail2ban set sshd banip 122.205.143.89
    • The command above lets you manually specify an IP to be banned

Jail examples

I am trying to present a few common fail2ban jails that work on an Ubuntu Server. Provide your own if you like and I will add them in this section below.

WordPress

In order to teach fail2ban to check on WordPress logins a filter has to be created. Create the file /etc/fail2ban/filter.d/wordpress.conf and add the following to it:

# Fail2Ban filter for WordPress
[Definition]
failregex = – – [(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}] “POST /wp-login.php HTTP/1.1” 200
ignoreregex =

Save this file and lets create a jail for wordpress. Create the file /etc/fail2ban/jail.d/wordpress.local and add the following to it:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/www/html/andromeda/logs/access.log
port = 80,443

Save and close the file but make sure you point to the correct logfile

Create the file /etc/fail2ban/jail.d/dovecot.local and add the following to it:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3

Save and close the file but make sure you point to the correct logfile

Create the file /etc/fail2ban/jail.d/postfix.local and add the following to it:
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3

Save and close the file but make sure you point to the correct logfile

Create the file /etc/fail2ban/jail.d/apache.local and add the following to it:
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache/error.log
maxretry = 3

Save and close the file but make sure you point to the correct logfile

Create the file /etc/fail2ban/jail.d/mysql.local and add the following to it:
[mysqld-auth]
enabled = true
filter = mysqld-auth
port = 3306
logpath = /var/log/mysql/error.log

Save and close the file but make sure you point to the correct logfile

Create the file /etc/fail2ban/jail.d/nginx.local and add the following to it:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

Save and close the file but make sure you point to the correct logfile

!!! Don’t forget to restart the fail2ban service after you made changes to any of its configuration files. !!!

Conclusion

This concludes this article. I hope you find this useful and please let me know if I messed something up or is incomplete or if you like to add something in to this article.