Fail2ban is an intrusion detection system that scans the log files to find malicious attacks on your servers. Fail2ban updates firewall rules on its own to block the IP addresses which are trying to exploit the server.

Prerequisite

A system running Ubuntu 18.04 with a user account with sudo privileges

Implementation

Step 1: SSH the server

$ ssh user@ip

Step 2: Get the newest versions of the packages and their dependencies

$sudo apt-get update

Step 3: Install Fail2ban

$sudo apt-get install fail2ban

Step 4: To configure fail2ban use custom configuration file ‘jail.local’ from ‘jail.conf’

$sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Step 5: Edit the custom configuration file as mentioned to filter based on the sshd service

$ vi /etc/fail2ban/jail.local

=====
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 10m
findtime = 10m
maxretry = 5

=====


(I) Bantime – The time that an IP address is banned before it can be allowed to access the service again


(II) Findtime – The maximum amount of time fail2ban should wait before banning an IP address if it has generated the maximum retries allowed for a particular service

(III) Maxretry – The number of failures that an IP should generate before it is banned

Step 6: Check whether fail2ban is blocking the IP address by the below command

$fail2ban-client status sshd


Step 7: If the configuration is correct, Then the output should be as mentioned  below

Output
Status for the jail: sshd
|- Filter
| |- Currently failed: 11
| |- Total failed: 93
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 11
|- Total banned: 22
`- Banned IP list: *.*.*.*

We will get the list of IP addresses banned in the ‘Banned IP list’

Post Views: 127

Leave a Reply