Install Fail2ban on Ubuntu 16

Date Posted: 14-06-2017

Fail2ban is a service used to ban IP address which makes unsuccessful attempts. In our previous post, we explained on how to install fail2ban on centos 7 server. In this post, we will explain on how to install fail2ban on ubuntu host. Incase if the operating system is centos then please follow the below post to install fail2ban.

Install fail2ban on Centos

Implementation:

Install fail2ban using apt-get utility

apt-get install fail2ban

Press to continue.

Enable the service on reboot safe.

systemctl enable fail2ban

Start the fail2ban service.

systemctl start fail2ban

Additional Information:

We will be adding additional steps on how to ban IP address which makes unsuccessful imap/pop attempts on mail server. Assume that log location is /var/log/mail.log.

Copy jail.conf to jail.local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file /etc/fail2ban/jail.local  and append the following content.

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
port = pop3,pop3s,imap,imaps
logpath = /var/log/mail.log
maxretry = 20
findtime = 1200
bantime = 3600

where,

logpath represents maillog which fail2ban needs to check.

bantime – time for the ipaddress to be blocked in the firewall.

Create a file /etc/fail2ban/filter.d/dovecot-pop3imap.conf and add the following content.

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Restart the fail2ban service.

systemctl restart fail2ban

To check the fail2ban client status, use the below command.

fail2ban-client status

Output of the command will look like as follows

Status
|- Number of jail: 2
`- Jail list: dovecot-pop3imap, sshd

The log location for fail2ban service is /var/log/fail2ban.log.

 

Leave a Reply