How to Install Fail2ban on Ubuntu 20.04 with Configuration

Today, we will look at how you can install Fail2ban on Ubuntu 20.04 LTS Focal, which will protect your servers from malicious attacks from bad bots and hackers. Those who are not familiar with Fail2ban are an intrusion prevention software framework that protects computer servers from primarily brute-force attacks and banning bad user agents, banning URL scanners and much more. Fail2ban achieves this by reading access/error logs of your server or web applications. Fail2ban is coded in the python programming language.

In the guide will give a rundown on installing Fail2ban on Ubuntu 20.04 and some basic setup and tips. The guide is compatible with Ubuntu 21.04 as well.

Advertisement

Install Fail2ban

Ubuntu repositories come with Fail2ban. You will need sudo privileges to install it with the following commands.

sudo apt update && sudo apt upgrade -y

Next, install Fail2ban by executing the following command:

sudo apt install fail2ban
fail2ban apt install yes

Type “Y” to install.

Once you have finished installing Fail2ban, we need to check its service status. By default, when installing Fail2ban, it should come auto-enabled and started. Use the following command to see.

sudo systemctl status fail2ban
fail2ban system ok

You should see the status ok in green as per the above picture. If, for some reason, it is not started and enabled to start on system load, use the following commands.

sudo systemctl start fail2ban && sudo systemctl enable fail2ban

To stop and disable Fail2ban in the future, this can be done by typing the following command:

sudo systemctl stop fail2ban && sudo systemctl disable fail2ban

Set Up Fail2ban Configuration Files

After completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

Now you may be wondering how we set up Fail2ban as if you update, and you will lose your settings. Simple, we create copies ending in .local instead of .conf as Fail2ban will always read .local files first before loading .conf if it cannot find one.

To do this, use the following commands.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
fail2ban copy completed
Advertisement

Configure Fail2ban

Now you come to the part where you can open jail.local and adjust the settings using nano editor.

sudo nano /etc/fail2ban/jail.local
Advertisement

Ban Time Increment

The first settings you will come across is Ban time increments. You should enable this every time the attacker returns. It will increase the ban time, saving your system from constantly re-banning the same IP if your ban time lengths are small; for example, 1 hour, you would want this to be longer if the attacker returns x5 times.

You also need to set a multiplier or factor for ban increase logic to work. You can pick any of these; however, in our guide, we prefer multipliers, as highlighted in our below example, since you can set custom ban time increases to your liking. Further explanation is in the set-up on the math behind it.

fail2ban multipliers

Whitelist IPs in Fail2ban

Next in the list, we come across whitelisting options, uncomment the following and address any IP addresses you want to be whitelisted.

ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)

Make sure to space or comma between the IP addresses. You can whitelist IP ranges as well.

whitelist ip fail2ban

Default Ban Time Set-Up

Ban time defaults are to default 10 minutes with 10 minutes finder on 5 retries. An explanation of this is Fail2ban jail with filtering will ban your attacker for 10 minutes after it has retried the same attack in 10 minutes (find time) x 5 times (retries). You can set some default ban settings here.

However, when you get to jails, it’s advised to set different ban times as some banning should automatically be longer than others, including retries that should be less or more.

fail2ban default ban time

E-Mail set up with Fail2ban

You can set an e-mail address for Fail2ban to send reports. The default action = %(action_mw)s that bans the offending IP and sends an e-mail with a whois report for you to review. However, in your action.d folder, other e-mail options exist for reporting to not only yourself but sending out e-mails to blacklist providers and the attacker’s ISP to report.

The setup example below:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = admin@example.com

# Sender e-mail address used solely for some actions
sender = fail2ban@example.com
fail2ban email settings

Fail2ban Jails

Next, we come to jails. You can set pre-defined jails with filters and actions created by the community covering many popular server applications. You can make custom jails or find external ones on various gists and community websites; however, we will set up with the default Fail2ban package jails.

Default set up for all the jails as per the picture below. Notice how nothing is enabled.

jail settings

So, we have an Apache 2 HTTP server, and like filter/ban bad bots, all you need to do is add enabled = true as the example below.

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Notice how the max retry equals 1, and the ban time is 48H. This is an individual max retry and bans length setting for this jail that will automatically increase with the ban multiplier we set up earlier in the guide. If any of the filters are missing this, you can add it as an example.

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s

Change above the following example below:

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

Next, you would like to have different actions than specified in your default set up in /etc/fail2ban/jail.local, additional actions you can find in action.d directory. Different actions from this directory can be easily set up by following directions inside those action configuration lines in the files, remembering to rename them first to .jail over .conf and then adding the following to your jail set up.

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
            cloudflare
bantime = 72h
maxretry = 1

As you can see, we added action_mw, so it automatically bans as per our default action and emails us a report with whois, then the following action, if you use Cloudflare, it’ll block the IP address on the service as well. Remember, Cloudflare needs setting up before use. Read the action.d file cloudflare.conf.

Once you are happy with your set-up, do the following command to restart fail2ban to load your new jails.

sudo systemctl restart fail2ban

Using Fail2ban-client

Now that you are up and running with Fail2ban, you need to know some basic commands to operate. We do this by using the fail2ban-client command. You may need to have sudo privileges, depending on your setup.

Ban an IP address:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Command to bring up the help menu if you need to find additional settings or get help on a particular one.

sudo fail2ban-client -h 

Monitoring Fail2ban Logs

A common mistake made by many is to set up jails and walk away without testing or monitoring what they are doing. Reviewing logs is essential, which the fail2ban log is in its default path /var/log/fail2ban.log.

If you have a server receiving decent traffic, an excellent command to watch live to see immediately if any issues and keep an eye on it as you work in other servers is to use the tail -f command as per below.

sudo tail -f /var/log/fail2ban.log

The command can come in handy for spot-checking without having to dive into logging.

Comments and Conclusion

The guide created has shown you the basics of installing Fail2ban on the Ubuntu 20.04 system and setting up some jails with the filters available. Fail2ban is a potent tool. You can set it up in many different ways from what I have shown here. It is just an example of getting your way around it, to begin. Fail2ban is actively developed and is a solid choice to deploy on your server in these times where attacks are becoming so frequent.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
adplus-dvertising
0
Would love your thoughts, please comment.x
()
x