How to Install and Configure Fail2ban on Ubuntu 20.04
Choose a different version or distribution
Before we begin talking about how to install Fail2ban on Ubuntu 20.04 - let's briefly understand - What is Fail2ban?
Fail2ban is a powerful security tool that protects your server from malicious attacks. It scans log files for suspicious activity and automatically blocks IP addresses that show signs of malicious behavior. By preventing unauthorized access attempts, Fail2ban strengthens your server's security and reduces the risk of hacking.
This open-source software is easy to install and configure, making it a popular choice for system administrators. With Fail2ban, you can safeguard your server and keep your data safe from potential threats.
In this tutorial, you will install Fail2ban on Ubuntu 20.04. We will also address a few FAQs on how to install Fail2ban on Ubuntu 20.04.
Advantages of Fail2ban
- Enhanced Security: Fail2ban protects your server by automatically blocking suspicious IP addresses, reducing the risk of unauthorized access.
- Easy Installation: Fail2ban is simple to install and configure, making it accessible for system administrators of all skill levels.
- Log Monitoring: It scans log files for signs of malicious activity, enabling proactive detection and prevention of potential threats.
- Customizable Actions: Fail2ban allows you to define specific actions to take when an IP address is blocked, giving you control over the security measures.
- Open-Source and Free: Fail2ban is open-source software, providing cost-effective security solutions for protecting your server and data.
Install Fail2ban on Ubuntu
The default Ubuntu 20.04 repositories include the Fail2ban package. Enter the following command as root or as a user with sudo permissions to install it:
sudo apt update
sudo apt install fail2ban
The Fail2ban service will start immediately after the installation is complete. You can double-check it by looking at the service's status:
sudo systemctl status fail2ban
Below is the output you will get:
Output
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
Docs: man:fail2ban(1)
Main PID: 1251 (f2b/server)
Tasks: 5 (limit: 1079)
Memory: 13.8M
CGroup: /system.slice/fail2ban.service
└─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Fail2Ban is now running on your Ubuntu server.
Fail2ban Configuration
Two configuration files are included with the typical Fail2ban installation: /etc/fail2ban/jail.conf
and /etc/fail2ban/jail.d/defaults-debian.conf
. Modifying these files is not suggested since they may be overwritten when the package is updated.
The configuration files are read in the following order by Fail2ban. The settings from the .conf
file are overridden by each .local
file:
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local
The most common technique to set up Fail2ban is to transfer the jail.conf
file to jail.local
and make changes to the .local
file. Advanced users can create their own .local
configuration file. Only the settings you want to override from the corresponding .conf
file must be included in the .local
file.
From the default jail.conf
file, create a .local
configuration file:
sudo cp /etc/fail2ban/jail.{conf,local}
Open the jail.local
file in your text editor to begin setting the Fail2ban server:
sudo nano /etc/fail2ban/jail.local
Each configuration option's function is described in the file's comments. We'll update the fundamental settings in this example.
Whitelist IP Addresses
The ignoreip
directive can be used to specify IP addresses, IP ranges, or hosts that should not be banned. Here you should provide your local PC's IP address as well as the IP addresses of any additional devices you want to whitelist.
Remove the comment from the line that starts with ignoreip
and replace it with your IP addresses, separated by a space:
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24
Ban Settings
The ban time and conditions are determined by the values of the bantime
, findtime
, and maxretry
parameters.
The bantime
refers to how long an IP address is blocked. When no suffix is supplied, seconds is used by default. The bantime
value is set to 10 minutes by default. The majority of users will wish to extend the ban term. Adapt the value to your preferences:
bantime = 1d
Use a negative value to permanently block the IP.
The delay between the number of failures and the imposition of a ban is known as findtime
. If Fail2ban is configured to ban an IP after five failures (maxretry, see below), those failures must happen within the findtime
timeframe.
findtime = 10m
The maximum number of failures before an IP is blocked is called maxretry
. The default value is five, which should be sufficient for the majority of users.
maxretry = 5
Email Notifications
When an IP address is blacklisted, Fail2ban can send an email notice. To receive emails, you must have an SMTP server installed and alter the default action, which simply restricts IP addresses, to percent (action mw)s, as seen below:
action = %(action_mw)s
% (action mw)s
blocks the offending IP and sends a whois report via email. Set the action to %(action mwl)s
if you want the relevant logs to be included in the email.
You can also change the email addresses that are sent and received:
destemail = admin@vegastack.com
sender = root@vegastack.com
Fail2ban Jails
The notion of jails is used in Fail2ban. A jail is a term that refers to a service that contains filters and activities. The number of log entries that fit the search pattern is counted, and when a predetermined criterion is satisfied, the appropriate actions are taken.
Fail2ban comes with a variety of jails for various services. You can even design your own jail settings.
Only the ssh jail is activated by default. To enable a jail, type enabled = true
after the name of the jail. How to enable the proftpd
prison is demonstrated in the following example:
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
The previous section's settings can be customized for each jail. Here's an illustration:
[sshd]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8 23.34.45.56
The filters are kept in a file with the same name as the jail in the /etc/fail2ban/filter.d
directory. You can fine-tune the filters if you have a custom configuration and knowledge with regular expressions.
For modifications to take effect, you must restart the Fail2ban service after editing a configuration file:
sudo systemctl restart fail2ban
Fail2ban Client
Fail2ban comes with a command-line tool called fail2ban-client that allows you to interface with the service.
Invoke the command with the -h
option to see all available options:
fail2ban-client -h
You can use this tool to ban/unban IP addresses, alter settings, restart the service, and more. Listed below are a few examples:
- Check the status of your jail:
sudo fail2ban-client status sshd
- Unban an IP:
sudo fail2ban-client set sshd unbanip 23.34.45.56
- Ban an IP:
sudo fail2ban-client set sshd banip 23.34.45.56
FAQs to Install Fail2ban on Ubuntu 20.04
Where can I find the Fail2ban configuration file?
The Fail2ban configuration file is located at /etc/fail2ban/jail.conf
.
How do I enable Fail2ban to start automatically on system boot?
You can enable automatic startup by running the command: sudo systemctl enable fail2ban
.
How can I add custom filters and actions in Fail2ban?
To add custom filters and actions, create a new configuration file in /etc/fail2ban/filter.d/
and define the rules accordingly.
How can I whitelist or ignore certain IP addresses in Fail2ban?
You can whitelist IP addresses by adding them to the ignoreip
section in the Fail2ban configuration file.
How do I check Fail2ban's status?
Use the command sudo fail2ban-client status
to check the status of Fail2ban and see the currently banned IP addresses.
How can I manually unban an IP address in Fail2ban?
To unban an IP address, run the command: sudo fail2ban-client set <JAIL> unbanip <IP_ADDRESS>
(replace <JAIL> with the appropriate jail name).
How can I view Fail2ban logs?
You can view Fail2ban logs in real-time by running the command: sudo tail -f /var/log/fail2ban.log
.
Conclusion
We hope this detailed tutorial helped you to install Fail2ban on Ubuntu 20.04.
If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.