Install Fail2ban

Posted on Sunday March 13, 2016 / by Eric Potvin

Any servers with the most basic SSH configuration can be vulnerable to brute force attacks.

Fail2Ban provides a way to automatically detect and protect (virtual) servers from malicious attackers. The program works by scanning log files and reacting to untrusted actions, like failed login attempts.

Install Fail2Ban

Fail2Ban can be installed by using the following command:

sudo apt-get install fail2ban

Create a config file

Fail2Ban needs a config file in order to run properly. A default configuration file (/etc/fail2ban/jail.conf)) file is created. This configuration file is not the one you need. You willneed to create a .local file in order to setup everything you need.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Updating the config file

The first section covers the basic rules that fail2ban will follow. If you want to update or increase the protection of your Ubuntu server, you can customize the config in each section.

Let's open the file first:

sudo vi /etc/fail2ban/jail.local

Fail2Ban SSH Config

The [ssh] and ssh_ddos section can be updated to maximize ssh security.

[ssh]

enabled  = true
port     = your port number or ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 2

[ssh-ddos]

enabled  = true
port     = your port number or ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 2

The filter, set by default to sshd, refers to the config file containing the rules that fail2ban uses to find matches .sshd refers to the /etc/fail2ban/filter.d/sshd.conf.

Email notifications

You can get notified when Fail2Ban detect suspicious activity by email, simply edit the following lines:

destemail = MyEmail@MyDomain.com
action = %(action_mwl)s

Restart Fail2Ban

In order for these changes to take effects, you need to restart the service:

sudo service fail2ban restart

You can check the status with the following command:

sudo fail2ban-client status

You can also check the iptables rules:

sudo iptables -L