How to Install and Configure Fail2ban on Ubuntu 18.04 Server
Fail2ban is an intrusion detection system that scans the log files to find malicious attacks on your servers. Fail2ban updates firewall rules on its own to block the IP addresses which are trying to exploit the server.
Prerequisite
A system running Ubuntu 18.04 with a user account with sudo privileges
Implementation
Step 1: SSH the server
$ ssh user@ip |
Step 2: Get the newest versions of the packages and their dependencies
$sudo apt-get update |
Step 3: Install Fail2ban
$sudo apt-get install fail2ban |
Step 4: To configure fail2ban use custom configuration file ‘jail.local’ from ‘jail.conf’
$sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
Step 5: Edit the custom configuration file as mentioned to filter based on the sshd service
$ vi /etc/fail2ban/jail.local ===== [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log bantime = 10m findtime = 10m maxretry = 5 ===== |
(I) Bantime – The time that an IP address is banned before it can be allowed to access the service again
(II) Findtime – The maximum amount of time fail2ban should wait before banning an IP address if it has generated the maximum retries allowed for a particular service
(III) Maxretry – The number of failures that an IP should generate before it is banned
Step 6: Check whether fail2ban is blocking the IP address by the below command
$fail2ban-client status sshd |
Step 7: If the configuration is correct, Then the output should be as mentioned below
Output Status for the jail: sshd |- Filter | |- Currently failed: 11 | |- Total failed: 93 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 11 |- Total banned: 22 `- Banned IP list: *.*.*.* |
We will get the list of IP addresses banned in the ‘Banned IP list’