How to Install Fail2Ban on Ubuntu 24.04, 22.04 or 20.04

This guide will demonstrate how to install Fail2ban on Ubuntu 24.04, 22.04, or 20.04 LTS Linux releases utilizing the command-line terminal with the APT Package Manager.

Fail2ban stands as a robust defense mechanism against cyber attacks, specifically designed to protect servers from various types of intrusions and brute-force attacks. Its versatility and effectiveness have made it an indispensable tool in the cybersecurity toolkit. At its core, Fail2ban monitors server logs for patterns of malicious behavior and dynamically adjusts firewall rules to block offending IP addresses, significantly enhancing the security posture of Linux systems.

Key features and highlights of Fail2ban include:

  • Real-time Monitoring: Actively scans log files for suspicious activities, identifying and addressing threats promptly.
  • Flexible Ban Policies: Allows customization of ban duration and conditions to suit specific security requirements.
  • Multi-service Support: It protects a wide range of services, including SSH, FTP, SMTP, and more, making it adaptable to various server setups.
  • Notification System: Sends alerts and reports of malicious activities and ban actions to administrators, keeping them informed.
  • Whitelist Functionality: Enables exclusion of trusted IP addresses from being banned, ensuring legitimate users are not affected.
  • Configurable Action Scripts: Offers the ability to execute custom scripts for enhanced response capabilities upon detection of potential threats.
  • Highly Customizable: Supports extensive configuration options to fine-tune protection levels and operational behavior.
  • Community-driven Updates: Benefits from an active community that contributes to its ruleset, ensuring up-to-date protection against emerging threats.

Transitioning to the technical aspect, Fail2ban’s installation and configuration on Ubuntu platforms is straightforward, thanks to its inclusion in the default repositories.

Update Ubuntu Before Fail2ban Installation on Ubuntu

Before starting the installation process, you must update your system to ensure a smooth installation and avoid potential conflicts. To do this, run the following command in your terminal:

sudo apt update && sudo apt upgrade

Install Fail2ban on Ubuntu via APT

Fail2Ban is available in Ubuntu’s default repository, making the installation process simple and straightforward. Execute the following command to begin the installation:

sudo apt install fail2ban 

Enable and Activate Fail2ban on Ubuntu

By default, Fail2Ban is not enabled or activated after installation. To start the service and enable it to run on system boot, use the following command:

sudo systemctl enable fail2ban --now

Verify Fail2Ban Service Status on Ubuntu

Once you have successfully installed Fail2Ban, it’s important to check its service status. The Fail2Ban service should be enabled and started by default upon installation. Run the following command to verify the status:

systemctl status fail2ban

Fail2ban Backup Settings on Ubuntu

After installing Fail2Ban, setting up and configuring it to suit your server environment is important. Fail2Ban comes with two default configuration files located at /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

To preserve your custom settings, create copies of the configuration files with the .local extension. Fail2Ban will prioritize reading .local files over .conf files. By creating .local files, you ensure that your settings are not lost during updates, and you’ll always have a fresh copy to revert to in case of misconfiguration.

Execute the following command to create a copy of the jail.conf file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now you have a backup of your original configuration file, and you can safely customize Fail2Ban settings by editing the jail.local file without worrying about losing your modifications during future updates.

Configure Fail2ban on Ubuntu

After creating a backup of the original configuration file, it’s time to adjust the settings in jail.local to meet your server’s specific security requirements.

Edit Fail2ban Configuration File

To edit the jail.local file using the nano editor, run the following command:

sudo nano /etc/fail2ban/jail.local

Ban Time Increments with Fail2ban

Enable the Ban Time Increment setting to increase the ban duration for repeat offenders. For example, if the default ban time is one hour, you can increase it to five hours after five repeated bans. You need to set a multiplier for the ban increase logic to do this.

Example:

## Ban Time Multipliers
# bantime.increment = true
# bantime.factor = 2
# bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor

Whitelist IPs in Fail2ban

To whitelist specific IP addresses, uncomment the ignoreip line and add the desired IP addresses, separated by spaces or commas. IP ranges can also be whitelisted.

Example:

ignoreip = 127.0.0.1/8 ::1 180.53.31.33 (example IP address)

Default Ban Time Setup

By default, Fail2Ban bans an attacker for 10 minutes after five failed attempts within a 10-minute window. You can adjust these default settings, but it’s recommended to set custom ban times and retry limits for different jails.

Example:

[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

E-Mail Alerts/Notifications with Fail2ban

Configure Fail2Ban to send email notifications with whois reports to a specified email address. You can also set up different reporting options, such as sending emails to blacklist providers or the attacker’s ISP.

Example:

destemail = admin@example.com
sender = fail2ban@example.com

Fail2ban Jails

Jails contain pre-defined filters and actions for various server applications. You can enable, disable, or customize jails based on your server’s needs.

To enable a jail, add enabled = true in the corresponding jail section.

Example:

[apache-badbots]
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

You can also add custom Fail2ban jails or use actions from the action.d directory by updating the banaction line in the jail section.

Example:

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
            cloudflare
bantime = 72h
maxretry = 1

Once you’ve finished configuring Fail2Ban, restart the service to apply your changes:

sudo systemctl restart fail2ban

Ban or Unban via Fail2Ban Commands on Ubuntu

Once Fail2Ban is configured, the most common Fail2ban commands you may need to use will be the ban or unban command. You can manage IP bans using the fail2ban-client command. You may need sudo privileges, depending on your setup.

Ban an IP address via Fail2ban CLI Command

To ban an IP address manually for a specific jail (e.g., apache-botsearch), use the following command:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address via Fail2ban CLI Command

To unban an IP address for a specific jail (e.g., apache-botsearch), use the following command:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Accessing the Help Menu

To access the help menu and view additional settings or commands, use the following command:

sudo fail2ban-client -h 

Additional Fail2ban Command Examples

Check the status of a specific jail:

sudo fail2ban-client status apache-botsearch

Reload the configuration without restarting the Fail2Ban service:

sudo fail2ban-client reload

Check the list of currently banned IP addresses for a specific jail:

sudo fail2ban-client get apache-botsearch banned

Set a custom ban time for a specific IP address in a jail:

sudo fail2ban-client set apache-botsearch bantime <time_in_seconds> --banip <ip_address>

These commands provide the tools to manage IP bans using Fail2Ban effectively. Remember to replace <ip address> with the actual IP address you want to ban or unban, and replace apache-botsearch with the appropriate jail name based on your configuration.

Check or Monitor Fail2Ban Logs on Ubuntu

It’s crucial to monitor and review Fail2Ban logs to ensure your jails are functioning correctly. By default, Fail2Ban logs can be found at /var/log/fail2ban.log.

Monitor Logs in Real-Time For Fail2ban

To watch the logs live and spot any issues while working on your server, use the tail -f command:

tail -f /var/log/fail2ban.log

This command allows you to monitor log changes in real-time.

Search Logs for Specific Fail2ban Information

You can also use the grep command to search for specific information within the logs, such as IP addresses, user agents, or errors.

User-Agent Example:

grep "Bing" /var/log/fail2ban.log

Error Example:

grep "error" /var/log/fail2ban.log

IP address Example:

grep "123.123.123.1" /var/log/fail2ban.log

These examples demonstrate various ways to filter and search your logs using terminal commands. Reviewing your Fail2Ban logs will help you maintain your server’s security and ensure your jails work as intended.

Additional Learning: Remove Fail2Ban From Ubuntu

In case you decide to remove Fail2Ban from your system, you can easily uninstall it by following these steps:

Deactivate Fail2Ban Service

If the Fail2Ban service is still active, you need to disable it first:

sudo systemctl disable fail2ban --now

This command will disable the Fail2Ban service and stop it from running.

Remove Fail2Ban From Ubuntu

After disabling the service, you can uninstall Fail2Ban using the following command:

sudo apt remove fail2ban

This command will remove Fail2Ban along with its system dependencies and associated data.

Conclusion

In wrapping up, this guide walked you through the steps to install Fail2ban on your Ubuntu 24.04, 22.04, or 20.04 LTS system, aiming to bolster your server’s defense against unwanted intrusions. We’ve covered how to set it up, tweak it to your liking, and ensure it’s working hard to keep those digital pests at bay. My parting advice? Keep Fail2ban’s rules up-to-date and don’t shy away from customizing it to fit your specific needs. Remember, a well-configured Fail2ban is your server’s best friend, quietly guarding the gates while you focus on the bigger picture. Stay safe out there!

Leave a Comment


Your Mastodon Instance
Share to...