How To Setup fail2ban Ubuntu 18.04
Fail2ban is an application that parses the system logs looking for signs of an automated attack.
When an attack attempted is identified, Fail2ban adds a rule to iptables to block the IP address of the attacker. This block can be set either for a specific period of time or permanently. fail2ban focuses on SSH attacks.
Since fail2ban 0.9, the bans are persistent. fail2ban maintains a database at
sudo apt-get install fail2ban
/etc/fail2ban/fail2ban.conf contains the default configuration. It is a
good practice to copy this file to
/etc/fail2ban/fail2ban.local. In fail2ban
.local files override
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
/etc/fail2ban/jail.conf file enables fail2ban configuration for SSH.
Again, it is a good practice to copy this file to
fail2ban: Whitelist IPs
To make an IP ignored by fail2ban, use the
ignoreip = 127.0.0.1/8 18.104.22.168
fail2ban: Ban Time
bantime setting to set the number of seconds for which an IP is banned. If set to a negative number, the ban is permanent.
fail2ban: Retry Time / Amount
findtime to set the number of seconds between login attempts before a ban is set. It is used in conjunction with
maxretry which sets how many attempts can be made to access the server from a specific IP before it is banned.
fail2ban: SSH Settings
By default in fail2ban only SSH settings are enabled.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
port, if using the default
22 port, the service name can be used. Otherwise, for non-traditional ports, use the port number explicitly.
fail2ban uses regular expressions (regex) to parse log files in order to identify potential attacks. fail2ban uses Python’s regex implementation.
fail2ban-regex to check if your custom filter is working.
fail2ban-regex /var/www/html/logs/access.log /etc/fail2ban/filter.d/wordpress.conf
fail2ban: Command Line Client
fail2ban provides a command-line (CLI) tool
start- start the fail2ban server and all defined jails.
reload- reload the fail2ban configuration
reload <jail>- reload a specific jail configuration
stop- stop the fail2ban server
status- show the fail2ban status and active jails