How to Install and Configure Fail2ban on Ubuntu 22.04

Ubuntu

Fail2ban is a free and open source IPS (Intrusion Prevention Software) that helps administrators secure Linux servers against brute-force and malicious login attacks. Fail2ban is written in Python and comes with filters for various services like Apache2, SSH, FTP, etc. Fail2ban reduces malicious login attempts by blocking IP addresses of source attacks.

Fail2ban works by scanning the log files of services (ef /var/log/auth.log) and prohibits IP addresses from displaying malicious login attempts such as too many incorrect passwords, finding exploits, etc. Fail2ban also supports many firewall backends such as iptables, ufw, and firewalld. Also allows you to set up email notifications for any blocked login attempts.

In this guide, we will show you how to install and configure Fail2ban to secure an Ubuntu 22.04 server. This tutorial also covers the basic fail2ban-client command for managing the Fail2ban service and prisons.

Prerequisites

  • Ubuntu Server 22.04
  • The non-root user has sudo privileges.

UFW . Firewall Setup

Before you start installing Fail2ban, you will need to set up a Firewall on your Ubuntu server.

The default Ubuntu server installation comes with a UFW Firewall, which is easier to manage than another firewall like iptables.

Now check the UFW firewall status with the following command.

sudo ufw status

If you get output messages such as “Status: inactive“, your UFW firewall hasn’t started yet. But if you get an output message like “No ufw command found”then a UFW firewall is not installed on your server.

To install the UFW firewall package, run the apt command below.

sudo apt install ufw -y

After installing UFW, run the command below to add the SSH service to the UFW firewall.

sudo ufw allow ssh

Next, run the command below to start and enable the UFW firewall.

sudo ufw enable

Enter y to confirm and start the UFW firewall.

Finally, check the UFW firewall again with the following command.

sudo ufw status

Below you can see the UFW firewall”Status: Active“with SSH port 22 added firewall rules.

Installing Fail2ban on Ubuntu 22.04

After you have installed and configured the UFW firewall, you will now install the Fail2ban package to your server.

Run the following command to update and refresh your Ubuntu repositories.

sudo apt update

Now install Fail2ban package using below command.

sudo apt install fail2ban -y

The installation process will begin.

 

After the Fail2ban installation is complete, enable the Fail2ban service and start it using the command below

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Finally, check the Fail2ban service status with the following command.

sudo systemctl status fail2ban

In the screenshot below you will see the Fail2ban service running on Ubuntu 22.04 server.

Configure Fail2ban

After you have Fail2ban installed, now it’s time to set up and configure Fail2ban.

All Fail2ban configurations are stored in the /etc/fail2ban directory. Fail2ban configuration details below that you must know:

  • The fail2ban.conf configuration is the main configuration of Fail2ban.
  • The jail.conf configuration is an example of the Fail2ban jailbreak configuration.
  • Items action.d contains fail2ban action settings such as mail settings and firewall settings.
  • Items prison.d contains additional configuration for fail2ban jail.

To start configuring Fail2ban, you will need to copy the default jail configuration jail.conf arrive jail.local using the following command.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now let’s edit the configuration jail.local use nano editor.

sudo nano /etc/fail2ban/jail.local

First, uncomment the ignore option and add your IP address. All IP addresses inside skip option will not be blocked by Fail2ban.

ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 192.168.10.20

For ban settings, you can change the configuration as needed. In this example, the global bantime would be 1 dayfind time will be 10 minutesand the maximum level is up to 5 times.

The bantime option is the time the IP address will be banned from accessing the server. The find time option is the amount of time between the number of failures before the ban action is taken. And the maximum option is the number of times the IP address is banned.

bantime  = 1d
findtime  = 10m
maxretry = 5

The default action for Fail2ban is just to ban the IP address. But you can also set up mail notifications whenever an IP address is banned.

Change the action option as below and change the default sender and destination mail address.

action = %(action_mw)s
destemail = [email]
sender = [email]

Next, to integrate the UFW firewall, you need to change banana option to ufw as below.

banaction = ufw

Finally, for the prison configuration. This section is where you add your service and secure it with fail2ban.

In this example, we will enable jail for the SSH service, but we also override the global default configuration for sshd jail. Bantime will be 1 week with countless failures 3 times and time found in 10 minutes.

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 1w

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


Save and close the file when you’re done.

Now run the following command to restart the Fail2ban service and apply the new changes to the jail.local configuration.

sudo systemctl restart fail2ban

You have now completed Fail2ban configuration with email notifications enabled and enabled Jail sshd to secure the SSH service.

Use Fail2ban-client to verify Fail2ban status

Fail2ban provides a command line fail2ban-client to interact with the Fail2ban service. This allows you to manage and configure Fail2ban from the command line and also allows you to manage Fail2ban prisons.

To verify fail2ban configuration and settings, run fail2ban-client command below.

sudo fail2ban-client ping

If you get an output message such as “Answer server: pong“, this means Fail2ban is running without errors.

Next, run fail2ban-client below command to check the status of sshd jail.

sudo fail2ban-client status sshd

Below you can see the detailed status of the sshd jail. This includes the log file for the SSH service and the list of IP addresses banned on the sshd jail.

Now if you want to have detailed configuration of sshd jail you can use fail2ban-client command like below.

Check bantime configuration for sshd jail. You will get the output of bantime here in seconds.

sudo fail2ban-client get sshd bantime

Check maxrtey configuration for sshd jail. You will see the maxretry here is 3 because it is overridden from the global config, which is the maxrety 5 times.

sudo fail2ban-client get sshd maxretry

For Banaction in sshd jail you can use following command. And you will get the output of ufw as default action for sshd jail.

sudo fail2ban-client get sshd actions

For the time looking here, you’ll also see the fr override of sshd. The output here will also be in seconds format.

sudo fail2ban-client get sshd findtime

Finally, you can also check default bypass for sshd jail by using below command. And you will see ignore has the same value as the global Fail2ban configuration.

sudo fail2ban-client get sshd ignoreip

Ban and Unblock IPs with Fail2ban-client

Another important thing about Fail2ban here is how to ban and unblock IP addresses on Fail2ban. To do that, you can also use the fail2ban-client command.

To manually ban IP address on sshd jail you can use below fail2ban-client command. Change the IP address with the IP address you want to ban.

sudo fail2ban-client set sshd banip IP-ADDRESS

To unblock IP addresses from sshd jail, you can use the fail2ban-client command below. Just make sure to change the IP address with the one you want to unblock.

sudo fail2ban-client set sshd unbanip IP-ADDRESS

Now after you manually ban the IP address or unblock the IP address, you can verify with the fail2ban-client command below.

sudo fail2ban-client status sshd

If you’re manually banning an IP address, make sure it’s on the list of banned IP addresses. But if you unblock an IP address, make sure that IP address disappears from the list of banned IP addresses.

Inference

Congratulations! You have now successfully installed and configured Fail2ban for Ubuntu 22.04 security. You also learned how to enable the UFW firewall and how to integrate Fail2ban with the UFW firewall. Finally, you also learned how to manage Fail2ban with the fail2ban-client command, including how to ban and unblock IP addresses from Fail2ban.

Hope this helps!

Source link

Share: