Fail2Ban is a security tool that protects your VPS from brute-force attacks by monitoring log files and banning malicious IPs. This article covers the steps to install and configure Fail2Ban on an Ubuntu VPS, along with examples of how to use it to enhance server security.
12 min
Edited:12-10-2024
Fail2Ban is a security software that helps protect your server by monitoring log files for suspicious activity, such as failed login attempts. When Fail2Ban detects a predefined number of failures from the same IP address, it bans that IP by modifying firewall rules. This effectively prevents brute-force attacks on services such as SSH, FTP, and web servers. Fail2Ban is highly configurable, allowing administrators to set custom rules for various services and specify how long IPs should remain banned. By implementing Fail2Ban on your VPS, you add an essential layer of protection against automated attacks.
Automatic Banning: Fail2Ban bans IPs based on a certain number of failed login attempts within a specified time period.
Customizable Jails: You can create custom rules for different services such as SSH, Apache, and FTP.
Email Alerts: Fail2Ban can send email notifications when an IP is banned.
Temporary or Permanent Bans: You can define how long IPs are banned, from temporary blocks to permanent bans.
Log Monitoring: It continuously monitors log files for suspicious patterns.
Follow these steps to install and configure Fail2Ban on your Ubuntu VPS.
As with any software installation, it's best to ensure that your server is up-to-date before installing Fail2Ban:
1. sudo apt update
2. sudo apt upgrade
Fail2Ban is available in Ubuntu's default package repository, so you can install it easily using apt:
1. sudo apt install fail2ban
Once the installation is complete, check the status of Fail2Ban to verify it is running:
1. sudo systemctl status fail2ban
You should see output indicating that the Fail2Ban service is active and running.
Fail2Ban works out of the box, but you can customize its behavior to better suit your security needs.
Fail2Ban configuration files are located in the /etc/fail2ban directory. The main configuration file is /etc/fail2ban/jail.conf, but it is recommended to create a local copy called jail.local for custom settings. This ensures that your configurations won’t be overwritten when Fail2Ban updates.
Create the local configuration file by copying jail.conf to jail.local:
1. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the jail.local file in your preferred text editor to modify the default settings:
1. sudo nano /etc/fail2ban/jail.local
In this file, you’ll see several important settings:
- ignoreip: Specifies IPs or IP ranges that Fail2Ban should never ban (e.g., your home IP or office IP).
1. ignoreip = 127.0.0.1/8 ::1
Add your own IP address if you want to ensure that it is never banned.
- bantime: Defines how long (in seconds) an IP is banned. The default is 600 seconds (10 minutes).
1. bantime = 600
You can set it to -1 for a permanent ban, or increase it for longer temporary bans.
- findtime: This is the time window (in seconds) during which Fail2Ban counts the number of failed login attempts.
1. findtime = 600
- maxretry: Defines the number of failed attempts allowed within the findtime window before banning an IP.
1. maxretry = 5
Fail2Ban works by configuring "jails" for specific services. These jails monitor the log files of the services and trigger bans based on the defined rules.
Some common services you might want to protect with Fail2Ban are SSH and Apache.
- SSH Jail
The SSH jail is enabled by default. If you want to adjust its configuration, you can find the section [sshd] in the jail.local file:
1. [sshd]
2. enabled = true
3. port = ssh
4. filter = sshd
5. logpath = /var/log/auth.log
6. maxretry = 5
Here, the SSH jail monitors /var/log/auth.log for failed login attempts, and it will ban an IP after 5 failed login attempts.
- Apache Jail
If you're running a web server like Apache, you can enable Fail2Ban to protect it from malicious web traffic such as DDoS attacks, scanning attempts, or brute-force login attempts.
To enable the Apache jail, find the following section and uncomment it:
1. [apache-auth]
2. enabled = true
3. port = http,https
4. logpath = /var/log/apache2/error.log
5. maxretry = 3
This configuration will monitor the Apache error log for authentication failures and ban IPs after 3 failed attempts.
After making changes to your configuration, restart Fail2Ban to apply the new settings:
1. sudo systemctl restart fail2ban
Fail2Ban provides several utilities for monitoring its status and managing banned IP addresses.
To see a list of banned IPs for a specific jail, use the fail2ban-client command:
1. sudo fail2ban-client status sshd
This will show the status of the SSH jail, including a list of banned IPs.
If you need to unban a mistakenly banned IP, you can use the following command:
1. sudo fail2ban-client set sshd unbanip [IP_ADDRESS]
Replace [IP_ADDRESS] with the IP you wish to unban. This will immediately remove the ban for that IP.
Fail2Ban logs all of its activity, which you can review for troubleshooting or monitoring purposes:
1. sudo tail -f /var/log/fail2ban.log
This log shows information about which IPs have been banned, unbanned, or if there were any issues applying firewall rules.
Fail2Ban is an essential tool for securing your Ubuntu VPS against brute-force attacks. It monitors log files for failed login attempts and automatically bans IPs that exhibit suspicious behavior. By following this guide, you’ve installed Fail2Ban, configured it to protect critical services like SSH and Apache, and learned how to manage and monitor it effectively. Fail2Ban significantly strengthens your server’s security posture, reducing the risk of unauthorized access and ensuring that only legitimate users can access your services.
14-10-2024
This article offers a detailed guide on installing and configuring IPTables on an Ubuntu VPS. IPTables is a powerful firewall tool that helps secure your server by controlling inbound and outbound traffic. Learn how to set up rules for traffic filtering, configure basic security policies, and apply custom rules to protect your VPS.
IPtables
security
12 min
This article offers a comprehensive guide on installing and configuring ModSecurity, a powerful web application firewall (WAF), on an Ubuntu VPS. Learn how to secure your server by filtering and monitoring HTTP requests, set up ModSecurity with Nginx or Apache, and apply rules to protect against common web attacks.
Modsecurity
security
10 min
14-10-2024
This article provides a comprehensive guide on installing and configuring PHP-FPM (FastCGI Process Manager) on an Ubuntu VPS. Learn how to optimize PHP performance for your web applications by configuring PHP-FPM with Nginx or Apache, managing pools, and fine-tuning settings for efficient processing of PHP scripts.
PHP-FPM
speed
optimise
12 min