Fail2ban is an intrusion prevention software framework widely-used to protect the system from Brute Force and DDoS attacks. It dynamically blocks clients that repeatedly fail to authenticate correctly with the services configured for it. It monitors the system logs in real-time to identify the automated attacks and block the attacking client to restrict the service access either permanently or a specific duration. We can also configure Fail2ban to trigger the emails for all the attacks identified by it. It sends the details including the service being attacked and the source IP address used for the attack.
This tutorial provides the steps to install Fail2ban and use it to protect SSH server authentication and FTP server authentication from brute-force attacks.
Prerequisites
This tutorial assumes that you have already installed Ubuntu 20.04 LTS server for production usage. It also assumes that you have either root privileges or a regular user with sudo privileges.
Install Fail2ban On Ubuntu 20.04 LTS
This section provides the commands required to install Fail2ban on Ubuntu 20.04 LTS. Use the below-mentioned command to install Fail2ban.
# Install Fail2ban
sudo apt install fail2ban
# Output
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python3-pyinotify whois
Suggested packages:
mailx monit sqlite3 python-pyinotify-doc
The following NEW packages will be installed:
fail2ban python3-pyinotify whois
---
---
Setting up fail2ban (0.11.1-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service.
Setting up python3-pyinotify (0.9.6-1.2ubuntu1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3)
Now we will verify the installation by checking the Fail2ban service status as shown below.
# Fail2ban Status
sudo systemctl status fail2ban
# Output
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-06-07 20:07:24 IST; 2min 40s ago
Docs: man:fail2ban(1)
Main PID: 61291 (f2b/server)
Tasks: 5 (limit: 4624)
Memory: 15.4M
CGroup: /system.slice/fail2ban.service
└─61291 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
---
---
The default configuration directory of Fail2ban is located at /etc/fail2ban. The default configurations of Fail2ban are specified in fail2ban.conf and jail.conf. We should not update these files, since Fail2ban scans for the local version of the default configuration files i.e. fail2ban.local and jail.local to override or update the configurations.
Notes: We can always refer /etc/fail2ban/jail.conf to check the default values of all the standard services supported by Fail2ban.
Now we will do the basic configuration of Fail2ban by adding and updating the files fail2ban.local and jail.local as shown below.
# Create and update fail2ban.local
sudo nano /etc/fail2ban/fail2ban.local
# Basic Configuration
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log
# Save and exit the editor by pressing Ctrl + o -> Enter -> Ctrl + x
# Create and update jail.local
sudo nano /etc/fail2ban/jail.local
# Basic Configuration
[DEFAULT]
bantime = 1800
findtime = 600
maxretry = 3
backend = systemd
# Save and exit the editor by pressing Ctrl + o -> Enter -> Ctrl + x
# Restart Fail2ban
sudo systemctl restart fail2ban
We have created and updated the file /etc/fail2ban/fail2ban.local and configured the Fail2ban to log up to the INFO level and also specified the file to generate the logs. The possible values of log level are CRITICAL, ERROR, WARNING, NOTICE, INFO, and DEBUG where DEBUG is the lowest level and generates more details. We can enable the DEBUG level only when low-level details are required to analyze the attack.
We have also created and updated the file /etc/fail2ban/jail.local and configured the Fail2ban to ban a client or host for 1800 seconds (half-hour) if it has generated the maxretry i.e. 3 failed attempts during the last find time i.e. 600 seconds (10 minutes). The host gets banned for 600 seconds after 3 consecutive failed attempts in the last 600 seconds. Also, we can specify the bantime and findtime values in minutes or hours by adding the suffix m or h e.g. 10m for 10 minutes and 1h for 1 hour. We have also specified the backend as systemd to get files modification.
This completes the installation of Fail2ban with the basic configuration on Ubuntu 20.04 LTS.
Fail2ban Client
The fail2ban-client command can be used to check activated jails and banned IPs. It can also be used to whitelist or unban the IPs for a specific jail.
Active Jails
Now execute the below-mentioned command to check the active jails. It lists the jails activated by us. Also, note that Fail2ban on Ubuntu activates sshd jail by default.
# Check Status
sudo fail2ban-client status
# Output
Status
|- Number of jail: 1
`- Jail list: sshd
Since we didn’t activate any jail, it showed sshd as the only active jail just after installing Fail2ban.
Jail Status
Use the below-mentioned command to check the status of a specific jail. It also shows the banned IPs of the given jail.
# Jail Status
sudo fail2ban-client status <Jail>
# Example
sudo fail2ban-client status sshd
# Output
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Ban IP
Use the below-mentioned command to ban the IP from the specified jail.
# Ban IP Address
sudo fail2ban-client set <Jail> banip <IP Address>
# Example
sudo fail2ban-client set sshd banip 127.0.0.1
# Output
1
# Jail Status
sudo fail2ban-client status sshd
# Output
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 127.0.0.1
We can also check the firewall to view the status of banned IP addresses as shown below.
# Check Firewall
sudo iptables -L
# Output
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- 127.0.0.1 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Another way to check the ban output is by checking the logs of Fail2ban as shown below.
# Check Fail2ban Logs
tail -f /var/log/fail2ban.log
# Output
----
----
2020-06-08 17:36:14,598 fail2ban.jail [66285]: INFO Jail 'sshd' started
2020-06-08 17:36:14,599 fail2ban.jail [66285]: INFO Jail 'ssh' started
2020-06-08 17:37:40,467 fail2ban.actions [66285]: NOTICE [sshd] Ban 127.0.0.1
Unban IP
Use the below-mentioned command to unban the IP from the specified jail.
# Unban IP Address
sudo fail2ban-client set <Jail> unbanip <IP Address>
# Example
sudo fail2ban-client set sshd unbanip 103.94.65.121
# Output
1
# Jail Status
sudo fail2ban-client status sshd
# Output
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
IP Whitelisting
We can specify the whitelisted IPs for all the jails by updating the ignoreip configuration of the default block in /etc/fail2ban/jail.local as shown below. The ignoreip can be a list of IP addresses, CIDR masks, or DNS hosts. Fail2ban will not ban the IP addresses specified in this list.
# Update jail.local
sudo nano /etc/fail2ban/jail.local
# Basic Configuration
[DEFAULT]
---
ignoreip = 127.0.0.1/8 xx.xx.xx.1/24 xx.xx.xx.xx
---
We can specify the IP address range or a specific IP as shown above. This will maintain a global list of the whitelisted IP addresses applied for all the services.
We can also specify the whitelisted IP address for a specific jail by using the fail2ban-client command as shown below.
# Whitelist IP for a specific jail
sudo fail2ban-client set <jail> addignoreip xx.xx.xx.xx
# Example
sudo fail2ban-client set sshd addignoreip 127.0.0.1
# Output
These IP addresses/networks are ignored:
`- 127.0.0.1
SSH Jail to secure SSH Service
This section provides the configurations to secure the SSH Service either by updating the /etc/fail2ban/jail.local global file or updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/defaults-debian.conf created by Fail2ban while installing it. The required configurations to protect the SSH service are specified below. We can update either of the files /etc/fail2ban/jail.local, /etc/fail2ban/jail.d/defaults-debian.conf, or /etc/fail2ban/jail.d/ssh.conf.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
Save the changes and reload fail2ban to check the status.
# Reload Fail2ban
sudo systemctl reload fail2ban
# Check Status
sudo fail2ban-client status
# Output
Status
|- Number of jail: 2
`- Jail list: ssh, sshd
FTP Jail to secure vsftpd Service
This section provides the configurations to secure the vsftpd Service either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/vsftpd.conf. The required configurations to protect the vsftpd service are specified below.
Notes: It assumes that vsftpd is already installed.
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 1h
Save the changes and reload fail2ban to check the status.
# Reload Fail2ban
sudo systemctl reload fail2ban
# Check Status
sudo fail2ban-client status
# Output
Status
|- Number of jail: 3
`- Jail list: ssh, sshd, vsftpd
FTP Jail to secure pureftpd Service
This section provides the configurations to secure the pureftpd Service either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/pureftpd.conf. The required configurations to protect the pureftpd service are specified below.
Notes: It assumes that pureftpd is already installed.
[pureftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
bantime = 1h
Save the changes and reload fail2ban to check the status.
# Reload Fail2ban
sudo systemctl reload fail2ban
# Check Status
sudo fail2ban-client status
# Output
Status
|- Number of jail: 3
`- Jail list: ssh, sshd, pureftpd
Summary
This tutorial provided all the steps required to install Fail2ban and configure it to secure the services including ssh, vsftpd, and pureftpd.