How To

How To Setup fail2ban Ubuntu 18.04

Fail2ban is an application that parses the system logs looking for signs of an automated attack.

When an attack attempted is identified, Fail2ban adds a rule to iptables to block the IP address of the attacker. This block can be set either for a specific period of time or permanently. fail2ban focuses on SSH attacks.

Since fail2ban 0.9, the bans are persistent. fail2ban maintains a database at /var/lib/fail2ban/fail2ban.sqlite3.

fail2ban: Installation

sudo apt-get install fail2ban

fail2ban: Configuration

The /etc/fail2ban/fail2ban.conf contains the default configuration. It is a good practice to copy this file to /etc/fail2ban/fail2ban.local. In fail2ban .local files override .conf files

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

The /etc/fail2ban/jail.conf file enables fail2ban configuration for SSH. Again, it is a good practice to copy this file to /etc/fail2ban/jail.local.

fail2ban: Whitelist IPs

To make an IP ignored by fail2ban, use the ignoreip setting:

ignoreip = 127.0.0.1/8 1.1.1.1

fail2ban: Ban Time

Use bantime setting to set the number of seconds for which an IP is banned. If set to a negative number, the ban is permanent.

fail2ban: Retry Time / Amount

Use findtime to set the number of seconds between login attempts before a ban is set. It is used in conjunction with maxretry which sets how many attempts can be made to access the server from a specific IP before it is banned.

fail2ban: SSH Settings

By default in fail2ban only SSH settings are enabled.

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

For port, if using the default 22 port, the service name can be used. Otherwise, for non-traditional ports, use the port number explicitly.

fail2ban: Regex

fail2ban uses regular expressions (regex) to parse log files in order to identify potential attacks. fail2ban uses Python’s regex implementation.

Use fail2ban-regex to check if your custom filter is working.

fail2ban-regex /var/www/html/logs/access.log /etc/fail2ban/filter.d/wordpress.conf

fail2ban: Command Line Client

fail2ban provides a command-line (CLI) tool fail2ban-client.

  • start - start the fail2ban server and all defined jails.
  • reload - reload the fail2ban configuration
  • reload <jail> - reload a specific jail configuration
  • stop - stop the fail2ban server
  • status - show the fail2ban status and active jails