Introduction
Fail2ban monitors your server logs to identify patterns that resemble attacks on your servers and services. If your servers are under an active attack, Fail2ban bans the IP addresses that these attacks are originating from.
An active attack could be repeated failed attempts to sign onto your servers using the SSH protocol with a combination of different users and passwords. These are commonly known as brute force attacks.
This guide is prepared on the Ubuntu 24.04 OS template. However, it should work with our other Ubuntu/Debian OS templates.
1. Updating our system
To do so, use:
sudo apt update
sudo apt upgrade
When the system is updated, we can go ahead with the Fail2ban installation.
2. Installation
To install the tool on Ubuntu/Debian, run these commands:
sudo apt install fail2ban
To verify the installation:
fail2ban-client --version
Output example:
A default Fail2ban configuration file should be installed at this location:
/etc/fail2ban/jail.conf
This is the file you’ll need to edit to suit your environments.
Many of the services that need to be protected are in the file already under their own sections, configured and disabled. You'll need to set each service that is running on your servers individually.
3. Configuring (Optional)
To open configuration files, use:
nano /etc/fail2ban/jail.conf
By default, the SSH protocol is enabled and protected. Without further changes, anyone trying to brute force their way into your server will automatically be banned or locked out after six tries. Fail2ban protects the default protocol ports. If you configure services on your server to use a non-standard port, then you must specify the new port number for the service.
An example: if you change your SSH port number from the default 22 to 2222, you must define it in the configuration:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Other services are configured but are not enabled. You can tell by the value 'false' for 'enabled' under each service.
To enable and protect a service running on your server, scroll down to the service section and change the Enabled value to true.
4. Legend for configurations
Enabled - simply means that the server is enabled for monitoring by "fail2ban".
Port - is the port number of the service to monitor. By default, "fail2ban" monitors standard ports, so if you changed the port for a service to something other than the standard, you must specify it.
Filter - refers to the rules and strings that "fail2ban" uses to spot an attack against a particular service.
Logpath - refers to the log location that "fail2ban" tracks. By default, it’s the auth.log file. If that has changed for your OS, you must specify it there as well.
Conclusion
You should now be able to configure some basic banning policies for your services. "Fail2ban" is very easy to set up and is a great way to protect any kind of service that uses authentication.