How to Install and Configure Fail2ban on Ubuntu 20.04

Before we begin talking about how to install Fail2ban on Ubuntu 20.04 - let's briefly understand - What is Fail2ban?

Fail2ban is a powerful security tool that protects your server from malicious attacks. It scans log files for suspicious activity and automatically blocks IP addresses that show signs of malicious behavior. By preventing unauthorized access attempts, Fail2ban strengthens your server's security and reduces the risk of hacking.

This open-source software is easy to install and configure, making it a popular choice for system administrators. With Fail2ban, you can safeguard your server and keep your data safe from potential threats.

In this tutorial, you will install Fail2ban on Ubuntu 20.04. We will also address a few FAQs on how to install Fail2ban on Ubuntu 20.04.

Advantages of Fail2ban

1. Enhanced Security: Fail2ban protects your server by automatically blocking suspicious IP addresses, reducing the risk of unauthorized access.
2. Easy Installation: Fail2ban is simple to install and configure, making it accessible for system administrators of all skill levels.
3. Log Monitoring: It scans log files for signs of malicious activity, enabling proactive detection and prevention of potential threats.
4. Customizable Actions: Fail2ban allows you to define specific actions to take when an IP address is blocked, giving you control over the security measures.
5. Open-Source and Free: Fail2ban is open-source software, providing cost-effective security solutions for protecting your server and data.

Install Fail2ban on Ubuntu

The default Ubuntu 20.04 repositories include the Fail2ban package. Enter the following command as root or as a user with sudo permissions to install it:

sudo apt update
sudo apt install fail2ban

The Fail2ban service will start immediately after the installation is complete. You can double-check it by looking at the service's status:

sudo systemctl status fail2ban

Below is the output you will get:

Output

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Fail2Ban is now running on your Ubuntu server.

Fail2ban Configuration

Two configuration files are included with the typical Fail2ban installation: /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. Modifying these files is not suggested since they may be overwritten when the package is updated.

The configuration files are read in the following order by Fail2ban. The settings from the .conf file are overridden by each .local file:

• /etc/fail2ban/jail.conf
• /etc/fail2ban/jail.d/*.conf
• /etc/fail2ban/jail.local
• /etc/fail2ban/jail.d/*.local

The most common technique to set up Fail2ban is to transfer the jail.conf file to jail.local and make changes to the .local file. Advanced users can create their own .local configuration file. Only the settings you want to override from the corresponding .conf file must be included in the .local file.

From the default jail.conf file, create a .local configuration file:

sudo cp /etc/fail2ban/jail.{conf,local}

Open the jail.local file in your text editor to begin setting the Fail2ban server:

sudo nano /etc/fail2ban/jail.local

Each configuration option's function is described in the file's comments. We'll update the fundamental settings in this example.

Whitelist IP Addresses

The ignoreip directive can be used to specify IP addresses, IP ranges, or hosts that should not be banned. Here you should provide your local PC's IP address as well as the IP addresses of any additional devices you want to whitelist.

Remove the comment from the line that starts with ignoreip and replace it with your IP addresses, separated by a space:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Ban Settings

The ban time and conditions are determined by the values of the bantime, findtime, and maxretry parameters.

The bantime refers to how long an IP address is blocked. When no suffix is supplied, seconds is used by default. The bantime value is set to 10 minutes by default. The majority of users will wish to extend the ban term. Adapt the value to your preferences:

bantime  = 1d

Use a negative value to permanently block the IP.

The delay between the number of failures and the imposition of a ban is known as findtime. If Fail2ban is configured to ban an IP after five failures (maxretry, see below), those failures must happen within the findtime timeframe.

findtime  = 10m

The maximum number of failures before an IP is blocked is called maxretry. The default value is five, which should be sufficient for the majority of users.

maxretry = 5

Email Notifications

When an IP address is blacklisted, Fail2ban can send an email notice. To receive emails, you must have an SMTP server installed and alter the default action, which simply restricts IP addresses, to percent (action mw)s, as seen below:

action = %(action_mw)s

% (action mw)s blocks the offending IP and sends a whois report via email. Set the action to %(action mwl)s if you want the relevant logs to be included in the email.

You can also change the email addresses that are sent and received:

destemail = [email protected]

sender = [email protected]

Fail2ban Jails

The notion of jails is used in Fail2ban. A jail is a term that refers to a service that contains filters and activities. The number of log entries that fit the search pattern is counted, and when a predetermined criterion is satisfied, the appropriate actions are taken.

Fail2ban comes with a variety of jails for various services. You can even design your own jail settings.

Only the ssh jail is activated by default. To enable a jail, type enabled = true after the name of the jail. How to enable the proftpd prison is demonstrated in the following example:

[proftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

The previous section's settings can be customized for each jail. Here's an illustration:

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

The filters are kept in a file with the same name as the jail in the /etc/fail2ban/filter.d directory. You can fine-tune the filters if you have a custom configuration and knowledge with regular expressions.

For modifications to take effect, you must restart the Fail2ban service after editing a configuration file:

sudo systemctl restart fail2ban

Fail2ban Client

Fail2ban comes with a command-line tool called fail2ban-client that allows you to interface with the service.

Invoke the command with the -h option to see all available options:

fail2ban-client -h

You can use this tool to ban/unban IP addresses, alter settings, restart the service, and more. Listed below are a few examples:

• Check the status of your jail:

sudo fail2ban-client status sshd

• Unban an IP:

sudo fail2ban-client set sshd unbanip 23.34.45.56

• Ban an IP:

sudo fail2ban-client set sshd banip 23.34.45.56

FAQs to Install Fail2ban on Ubuntu 20.04

Conclusion

We hope this detailed tutorial helped you to install Fail2ban on Ubuntu 20.04.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.