Fail2Ban How to install and configure Fail2Ban on Debian or Ubuntu servers

0
0
0

Fail2ban is free software that protects Linux servers by watching log files for suspicious activity. It tracks repeated failed logins or attacks and blocks those IP addresses by updating firewall rules. It works with services like SSH, Apache, and Nginx to stop potential threats quickly.

To install and configure Fail2ban, you can follow these general steps

1. Update and upgrade your system before any new install with this command

sudo apt update && apt upgrade -y

2. Install Fail2ban with command

sudo apt install fail2ban -y

3. Configuring Fail2ban

Fail2ban’s main config file is at /etc/fail2ban/jail.conf. To keep updates simple, create an override file instead. Run this command to do that:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local‍

4. Edit the configuration file

Open the jail.local file in a text editor:

sudo nano /etc/fail2ban/jail.local

copy and paste this text to jail.local and save file

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

In this file, you’ll find various configuration options. Some important options to consider are:

  • enabled: Set to true to enable the jail.
  • port: The service’s port you want to protect.
  • filter: The name of the filter to use (usually corresponds to the service, e.g., sshd for SSH).
  • logpath: The log file Fail2ban should monitor.
  • bantime: The duration in seconds for which an IP address is banned (default is 10 minutes).
  • findtime: The time frame in seconds during which repeated failed attempts are considered for banning.
  • maxretry: The number of failed attempts allowed before banning an IP.
  • destemail: The email address where notifications will be sent.
  • action: The action to be taken when a rule is triggered (e.g., banning the IP, sending an email).

Adjust these options based on your needs. You can also enable/disable specific jail sections depending on which services you want to protect.

You can add more jails for other services you want to protect, such as Apache, Nginx, or any other application running on your server.

5. Enable and start Fail2ban

Once the configuration is complete, enable and start the Fail2ban service:

sudo systemctl enable fail2ban

sudo systemctl start fail2ban

Fail2ban should now be running and actively monitoring log files for suspicious activity.

7. Check Fail2ban status

To check the status of Fail2ban and view any banned IP addresses, use the following command:

sudo fail2ban-client status

This will display information about the active jails and any banned IPs.

To view detailed information about a specific jail:

sudo fail2ban-client status <jail-name>

8. Testing Fail2ban

You can test Fail2ban by intentionally triggering a ban, like repeatedly failing to log in to your SSH server. After reaching the maxretry limit, your IP address should be banned.

That’s it! You have installed and configured Fail2ban on your system. It will now monitor log files and take actions against suspicious activity based on your defined rules. Make sure to review the Fail2ban documentation for advanced configuration options and additional customization.

Was this helpful?

0 / 0