How to install and configure Fail2ban for Ubuntu
Introduction
Fail2ban is a tool that monitors login activity on your server and helps protect your Linux machine from brute-force and other automated attacks. By default, it will block IP addresses for 10 minutes before removing them and it has filters to monitor Apache, SSH, and other programs for suspicious activity.
This guide will describe the installation and basic configuration in Ubuntu systems.
- Run the below command to ensure that the server is up to date.
# apt update && apt upgrade
- To install fail2ban, run the below command.
# apt-get install fail2ban
- Once the installation is completed, verify and check the status from the below command.
# systemctl status fail2ban
- The default configuration file is
/etc/fail2ban/jail.conf
and the easiest way to configure Fail2ban is to copy thejail.conf
tojail.local
and modify the.local
file. So make a copy with the below command to avoid possible conflict.# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Once the copy was taken, then start to edit the file by using the below command.
# vi /etc/fail2ban/jail.local
- ignoreip can be a list of IP addresses, CIDR masks, or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using a space (and/or comma) separator.
The values of the bantime, findtime, and maxretry options shown in the below image are defined the ban time and ban conditions. - bantime is the number of seconds that a host is banned.
- findtime A host is banned if it has generated “maxretry” during the last “findtime”.
- maxretry is the number of failures before a host gets banned.
From thedestemail and sender
options, you can adjust the sending and receiving email addresses.
- Once you have made any changes in the configuration file, then restart the Fail2ban service with the below command.
# service fail2ban restart