How to Install Fail2Ban on Ubuntu 22.04 LTS

Fail2Ban is a robust intrusion prevention software framework that protects computer servers from Brute Force and other attacks. It achieves this by reading access/error logs on your server or web application, which can then be used to identify malicious users before they cause any damage!

The software is very popular with public-facing servers. Whether you’re a server owner or want to protect your network, Fail2ban can stop attacks before they hurt. This software is written in Python and runs on POSIX systems with an interface for packet control systems like iptables or TCP Wrapper installed locally – that means besides servers, even desktops can be supported, granted with a different set of rules.

The following tutorial will teach you how to install Fail2Ban on Ubuntu 22.04 LTS Jammy Jellyfish desktop or a headless server. Some example configurations with complete examples and essential tips to get you started.

Update Ubuntu

First, before you begin, update your system to ensure no conflicts occur during the installation and set up of Fail2Ban as follows.

sudo apt update && sudo apt upgrade -y

Install Fail2ban

By default, fail2ban is featured in Ubuntu 22.04’s default repository making the installation straightforward.

Begin the installation of Fail2ban by executing the following command.

sudo apt install fail2ban -y

By default, Fail2Ban is not enabled and activated once installed. Start the service and enable it on system boot using the following command.

sudo systemctl enable fail2ban --now

Once you have finished installing Fail2ban, we need to check its service status. By default, when installing Fail2ban, it should come auto-enabled and started. Use the following command to see.

systemctl status fail2ban

Example output:

How to Install Fail2Ban on Ubuntu 22.04 LTS

Fail2ban Backup Settings

After completing the installation, you need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf.

Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

The next step is to create copies ending in .local instead of .conf, as Fail2ban will always read .local files first before loading .conf if it cannot find one. Creating the local files is so that when you update your Fail2Ban, your settings are not lost, and if you misconfigure, you always get a fresh copy to return to.

Use the following cp command to create a copy of the configuration file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, use the ls command, and verify that the jail.local file exists within /etc/fail2ban/ directory.

ls /etc/fail2ban/jail.local

Example if successful:

How to Install Fail2Ban on Ubuntu 22.04 LTS

Configure Fail2ban

Now you come to the part where you can open jail.local and adjust the settings using nano editor.

sudo nano /etc/fail2ban/jail.local

Ban Time Increment

The first setting you will come across is Ban time increments. This should enable this so every time the attacker returns and gets re-banned, it will increase the ban time, saving your system from constantly re-banning the same IP if your ban time lengths are minor.

For example, the default ban time is one hour; you would want this to be longer if the attacker returns x5 times, so if the attacker is banned on the 5th time, it is automatically five hours instead of one.

To achieve the ban time increment, you need to set a multiplier or factor for ban increase logic to work. You can pick any of these; however, in the tutorial, I have chosen multipliers, as highlighted in our below example, since you can set custom ban time increases to your liking.

Further explanation is in the set-up on the math behind it.


How to Install Fail2Ban on Ubuntu 22.04 LTS

Whitelist IPs in Fail2ban

Next in the list, we come across whitelisting options, uncomment the following and address any IP addresses you want to be whitelisted.

ignoreip = ::1 (example IP address)

Make sure to space or comma between the IP addresses. You can whitelist IP ranges as well.


How to Install Fail2Ban on Ubuntu 22.04 LTS

Default Ban Time Set-Up

Ban time defaults are 10 minutes with 10 minutes finder on 5 retries. An explanation is that Fail2Ban jail with filtering will ban your attacker for 10 minutes after it has retried the same attack in 10 minutes (find time) x 5 times (retries). You can set some default ban settings here.

However, when you get to jails, it’s advised to set different ban times as some banning should automatically be longer than others, including retries that should be less or more. This is user-dependent, and there is no natural right or wrong setting here.


How to Install Fail2Ban on Ubuntu 22.04 LTS

E-Mail Alerts/Notifications

You can set an e-mail address for Fail2ban to send reports. The default action = %(action_mw)s that bans the offending IP and sends an e-mail with a whois report for you to review. However, in your action.d folder, other e-mail options exist for reporting to yourself and sending out e-mails to blacklist providers and the attacker’s ISP to report.

The setup example is below:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = admin@example.com

# Sender e-mail address used solely for some actions
sender = fail2ban@example.com


How to Install Fail2Ban on Ubuntu 22.04 LTS

Fail2ban Jails

Next, we come to jails. You can set pre-defined jails with filters and actions created by the community covering many popular server applications. You can make custom jails or find external ones on various gists and community websites; however, we will set up the default Fail2ban package jails.

Default set up for all the jails as per the picture below.

Notice how nothing is enabled.


How to Install Fail2Ban on Ubuntu 22.04 LTS

So, we have an Apache 2 HTTP server, and like filter/ban bad bots, all you need to do is add enabled = true as the example below.

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Notice how the max retry equals 1, and the ban time is 48H. This is an individual max retry and bans length setting for this jail that will automatically increase with the ban multiplier we set up earlier in the tutorial.

If any of the filters are missing, you can add them as an example.

enabled = true
port     = http,https
logpath  = %(apache_error_log)s

Change above the following example below:

enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

The example enabled the filter and set a custom bantime, maxretry for the jail.

Next, you would like to have different actions than specified in your default set up in /etc/fail2ban/jail.local; additional actions you can find in the action.d directory.

Different actions from this directory can be easily set up by following directions inside those action configuration lines in the files, remembering to rename them first to .jail over .conf, and then adding the following to your jail setup.

The example below adds Cloudflare ban action and the default action to the [apache-botsearch] jail.

enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
bantime = 72h
maxretry = 1

As you can see, we added action_mw, so it automatically bans as per our default action and emails us a report with whois, then the following action, if you use Cloudflare, it’ll block the IP address on the service as well.

Remember, Cloudflare needs to be set up before use! Read the action.d file cloudflare.conf.

Once you are happy with your set-up, do the following command to restart fail2ban to load your new jails.

sudo systemctl restart fail2ban

How to Ban/Unban Using Fail2Ban Manually

Now that you are up and running with Fail2ban, you need to know some basic operating commands. This is done using the fail2ban-client command. You may need to have sudo privileges, depending on your setup.

Ban an IP address:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Command to bring up the help menu if you need to find additional settings or get help on a particular one.

sudo fail2ban-client -h 

How to Check/Monitor Fail2Ban Logs

Many common mistakes are setting up jails and walking away without testing or monitoring what they are doing. Reviewing logs is essential, and the fail2ban log is in its default path /var/log/fail2ban.log.

If you have a server receiving decent traffic, an excellent command to watch live to see any issues and keep an eye on it as you work on other servers is to use the tail -f command below.

tail -f /var/log/fail2ban.log

The command can come in handy for spot-checking without diving into logging.

Alternatively, you can use the GREP command to search for an example IP address or even a user agent, and these are just examples.

Example user-agent:

grep "Bing" /var/log/fail2ban.log

Example error:

grep "error" /var/log/fail2ban.log

Example IP address:

grep "" /var/log/fail2ban.log

Again, the above are just examples, and there are quite a few different commands and methods to sort through your logs using a terminal instance.

How to Remove (Uninstall) Fail2Ban

If users no longer wish to have Fail2ban installed, deactivate the service if still enabled.

sudo systemctl disable fail2ban --now

Next, remove fail2ban using the following command.

sudo apt autoremove fail2ban --purge -y

Note this will remove all unused system dependencies installed with fail2ban and data.

Comments and Conclusion

Fail2ban is a powerful tool, and you can set it up in many different ways, and I have shown you just one example of how to get around it. Fail2ban is actively developed and is a solid choice to deploy on your server in these times when attacks are becoming so frequent.

Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!