Skip to main content

Why Use Fail2Ban

UFW tells your server what doors to board up so nobody can see them, and what doors to allow authorized users through. PSAD monitors network activity to detect and prevent potential intrusions — repeated attempts to get in. But what about the applications/services your server is running, like SSH and Apache, where your firewall is configured to allow access in? Even though access may be allowed that doesn’t mean all access attempts are valid and harmless. What if someone tries to brute-force their way in to a web-app you’re running on your server? This is where Fail2ban comes in.

How It Works

Fail2ban monitors the logs of your applications (like SSH and Apache) to detect and prevent potential intrusions. It will monitor network traffic/logs and prevent intrusions by blocking suspicious activity (e.g. multiple successive failed connections in a short time-span).
  • As of right now, the only thing running on this server is SSH so we’ll want Fail2ban to monitor SSH and ban as necessary.
  • As you install other programs, you’ll need to create/configure the appropriate jails and enable them.

Installation and Configuration

1

Install Fail2ban

On Debian based systems:
sudo apt install fail2ban
2

Create Local Configuration

We don’t want to edit /etc/fail2ban/fail2ban.conf or /etc/fail2ban/jail.conf because a future update may overwrite those, so we’ll create a local copy instead.
Create the file /etc/fail2ban/jail.local and add this to it after replacing [LAN SEGMENT] and [your email] with the appropriate values:
[DEFAULT]
# the IP address range we want to ignore
ignoreip = 127.0.0.1/8 [LAN SEGMENT]

# who to send e-mail to
destemail = [your e-mail]

# who is the email from
sender = [your e-mail]

# since we're using exim4 to send emails
mta = mail

# get email alerts
action = %(action_mwl)s
Your server will need to be able to send e-mails so Fail2ban can let you know of suspicious activity and when it banned an IP.
3

Create SSH Jail

We need to create a jail for SSH that tells fail2ban to look at SSH logs and use UFW to ban/unban IPs as needed.Create the file /etc/fail2ban/jail.d/ssh.local and add this:
[sshd]
enabled = true
banaction = ufw
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 5
Or use this quick command:
cat << EOF | sudo tee /etc/fail2ban/jail.d/ssh.local
[sshd]
enabled = true
banaction = ufw
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 5
EOF
In the above we tell fail2ban to use UFW as the banaction. Fail2ban ships with an action configuration file for UFW. You can see it in /etc/fail2ban/action.d/ufw.conf.
4

Enable Fail2ban

Start and enable Fail2ban:
sudo fail2ban-client start
sudo fail2ban-client reload
sudo fail2ban-client add sshd  # This may fail on some systems if the sshd jail was added by default
5

Check Fail2ban Status

To check the overall status:
sudo fail2ban-client status
Example output:
Status
|- Number of jail:      1
`- Jail list:   sshd
To check the status of a specific jail:
sudo fail2ban-client status sshd
Example output:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Unban an IP Address

To unban an IP address, use this command: 
fail2ban-client set [jail] unbanip [IP]
Where:
  • [jail] is the name of the jail that has the banned IP
  • [IP] is the IP address you want to unban
For example, to unban 192.168.1.100 from SSH: 
fail2ban-client set sshd unbanip 192.168.1.100

Custom Jails

Custom jails can be created for other services like Apache, Nginx, or custom applications. The process involves:
  1. Creating a filter file in /etc/fail2ban/filter.d/ that defines the log patterns to match
  2. Creating a jail configuration in /etc/fail2ban/jail.d/ that references the filter
  3. Enabling the jail with fail2ban-client
Refer to the Fail2ban documentation for detailed instructions on creating custom jails.

Reference

Build docs developers (and LLMs) love

Get started for freeTalk to us