Introduction
Fail2banĀ is a software that protects your server from brute force attacks. It does this by monitoring server logs and detecting any suspicious activity.
The program detects when there is an unreasonable number of failed attempts and automatically adds new toĀ iptablesĀ that block the given IP. This IP (or host) is then blocked for a specified time or indefinitely.
Therefore, installing this log-monitoring software is an excellent way to provide another layer to your server security. Still, can only be one part of your overall server security plan. Explore more measures with theseĀ 21 Server Security Tips.
In this tutorial, you will learn how to install and configure Fail2ban on your server.
Prerequisites
- Access to aĀ command-lineĀ /Ā terminal window
- Access to a user account withĀ sudoĀ or root privileges
Install Fail2ban
How to install Fail2ban depends on the operating system running on your server. Below you will find commands for installing and enabling Fail2ban onĀ Ubuntu,Ā CentOS,Ā Fedora, andĀ Debian.
Important: Fail2ban is not a replacement for software firewalls, such as iptables. It is intended as another security layer and should not be a replacement for a firewall.
Install Fail2ban on Ubuntu
1. Before adding new packages, itās important toĀ updateĀ the system repository andĀ upgradeĀ software. To do so, run the command:
apt-get update && apt-get upgradePressĀ yĀ to confirm and hitĀ Enter.
2. Now you canĀ install Fail2banĀ with:
apt-get install fail2ban3. Optionally, you canĀ install SendmailĀ for email support:
apt-get install sendmail4. Next, you need toĀ allow SSH accessĀ through the firewall:
ufw allow ssh5. Finally,Ā enable the firewall:
ufw enableInstall Fail2ban on CentOS
1. To install Fail2ban on CentOS, you need theĀ EPEL repository. Update the system and add the repository by running:
yum update && yum install epel-release2. With the EPEL repository set up,Ā install Fail2banĀ with the command:
yum install fail2ban3. Next, you need toĀ start the Fail2ban service and enable itĀ upon boot:
systemctl start fail2bansystemctl enable fail2ban4. For email support, you canĀ install SendmailĀ with:
yum install sendmail5. ToĀ start and enable SendmailĀ service run:
systemctl start sendmailsystemctl enable sendmailInstall Fail2ban on Fedora
1. Start byĀ updating the system:
dnf update2. Then,Ā install Fail2banĀ andĀ SendmailĀ (optional, if you need email support):
dnf install fail2bandnf install sendmail3. As these services do not start automatically on Fedora, you need toĀ start and enableĀ them with:
systemctl start fail2bansystemctl enable fail2bansystemctl start sendmailsystemctl enable sendmailInstall Fail2ban on Debian
1.Ā Update and upgradeĀ the system:
apt-get update && apt-get upgrade -yPressĀ yĀ andĀ EnterĀ to confirm.
2. Then,Ā install Fail2banĀ with the command:
apt-get install fail2ban3. For email support, you can alsoĀ install SendmailĀ using the command:
apt-get install sendmail-bin sendmailNote: Check out our comprehensive comparison of CentOS vs Ubuntu for web servers.
Configure Fail2ban
Configure Fail2ban by editing the following configuration files:
- fail2ban.local file
- jail.local file
Configure fail2ban.local File
Fail2ban defines its global configuration in theĀ fail2ban.confĀ file. The file consists of the default configuration and is generally not advised to modify.
All changes to the configuration should be done in a separateĀ fail2ban.localĀ file.
1. Therefore, the first thing to do is to copy the content of theĀ .confĀ file into aĀ .localĀ file. The command to do so is:
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local2. There will be no output after this command. The next step is to open the fail2ban.local file using a text editor of your choice:
nano fail2ban.local3. You should see a file similar to the image below:
In this example, the comments in blue explain each option and its possible values. The white lines are the options you can modify and they include:
loglevelĀ ā Set the log level output toĀCRITICAL,ĀERROR,ĀWARNING,ĀNOTICE,ĀINFO, orĀDEBUG.logtargetĀ ā Set the log target, which can be either aĀFILE,ĀSYSLOG,ĀSTDERR, orĀSTDOUT.syslogsocketā Set the syslog socket file toĀautoĀ orĀFILEĀ (this is only used if theĀlogtargetĀ is set toĀSYSLOG)socketĀ ā Set the socket file which is used to communicate with the daemon. Make sure not to remove this file. Itās default path is:Ā/var/run/fail2ban/fail2ban.sockpidfileĀ ā Set the PID file which is used to store the process ID of the fail2ban server. The default location is:Ā/var/run/fail2ban/fail2ban.pid
Configure jail.local File
Another Fail2ban configuration file you may need to modify is theĀ jail.confĀ file which includes jails defining Filters with Actions.
Just like with the global configuration, theĀ jail.configĀ file should not be directly modified. Instead, all customization should be made in theĀ jail.localĀ file.
1. If you do need to make some changes, copy the content of theĀ .confĀ file into aĀ .localĀ file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local2. Open the jail.local file with a text editor of your choice:
nano jail.local3. You should see the following content:
There you can set the following options:
ignoreselfĀ ā Specify if the local IP address should be ignored by setting the valueĀtrueĀ(default) orĀfalse.ignoreipĀ ā Allows you to specify IP addresses, CIDR masks or DNS hosts which should be banned. Separate multiple addresses with space.ignorecommandĀ ā Define theĀpath/to/commandĀ if one should be ignored.
bantimeĀ ā Specify the number of seconds a host is banned (the default beingĀ600)maxretryĀ ā The number of failures allowed before a host is banned (by default set toĀ5).findtimeĀ ā The time in which the host should not use up themaxretrynumber in order not to get banned (generically set toĀ10Ā minutes). For example, if a host fails 5 times in 10 minutes, it gets banned for 600 seconds.
backendĀ ā Specify the backend used to get files modification. If you are using CentOS or Fedora, you need to set the backend toĀsystemd. The default valueĀautoĀ is sufficient for other operating systems.[ssh]Ā ā by default, Fail2ban has no enabled jails. Therefore, you need to do this manually by adding the jails to the configuration file. For instance, you can enable the SSH daemon jail by uncommenting (removingĀ#) the linesĀ[ssh]Ā andĀenabled = true.
destemailĀ ā Specifies the email address where you want to receive notificationssenderĀ ā Defines the email address from where you receive notifications
Additional jail.local Configurations
You can also set additional configurations in the jail.local file, such as for SSH and iptables. These options include:
banactionĀ ā Specifies the default action that is used when theĀmaxretryis reached.banaction_allportsĀ ā Allows you to label an IP that should be blocked in every port.portā The value should correspond to the set service. This could beĀsshĀ or a port number (if you are using an alternative port).filterā The file name containing the failregex information, located inĀ/etc/fail2ban/filter.d.
Restart the Service
If you have made any changes to theĀ fail2ban.localĀ andĀ jail.localĀ files, make sure to restart the fail2ban service.
ToĀ restart the fail2ban serviceĀ with the new configuration, run the command:
service fail2ban restartConclusion
By following this guide, you should have been able to install and set the basic configuration for Fail2ban.
Fail2ban is an excellent tool for adding another security layer. It is especially effective against SSH brute force attacks.
