Fail2ban is an open-source protection tool which secures from Brute Force and DDoS other automated attacks. It blocks the client which are repeatedly fail to authenticate correctly with the services configured for it. Actually, it monitoring the logs of services for malicious activity and identify the automated attacks. This article explains how to install and configure Fail2ban on Ubuntu 22.04.
How to Install Fail2ban on Ubuntu 22.04
By default, standard Ubuntu repositories includes the Fail2ban package. So it is very straightforward to install Fail2ban package.
Step 1 – Update System
First of all you need to update your system using below given command:
sudo apt update && upgrade
Step 2 – Install Fail2ban
Run the following command as root or user with sudo privileges to install Fail2ban package:
sudo apt install fail2ban -y
After the completion of the installation, the Fail2ban service will be start automatically.
Step 3 – Verify Installation
You can verify the installation by checking the service status:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-11-14 02:31:25 UTC; 4s ago Docs: man:fail2ban(1) Main PID: 1251 (f2b/server) Tasks: 5 (limit: 2029) Memory: 12.0M CGroup: /system.slice/fail2ban.service └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
That’s it. At this point, you have Fail2Ban running on your Ubuntu server.
Step 4 – Fail2ban Configuration
By default, /etc/fail2ban/jail.conf
and /etc/fail2ban/jail.d/defaults-debian.conf
files are configuration files which comes with Fail2Ban installation. We will not direct edit these files because these can be overwritten once the package is updated.
We will make another copy of jail.conf
configuration file with jail.local
and then make changes to this .local
file. In .local there is only changes which we need to overwrite. Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf
file:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/*.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/*.local
Copy the jail.conf
and save as a jail.local
file:
sudo cp /etc/fail2ban/jail.{conf,local}
To make the configuration changes, open jail.local
file using text editor:
sudo nano /etc/fail2ban/jail.local
As you can see the instruction with comment in the configuration file. Below is the configuration file with default settings. Let’s change basic configuration in this file.
[DEFAULT] # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host that matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m # "maxretry" is the number of failures before a host gets banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config backend=systemd
Whitelist IP Address
You can add the IP address and IP ranges to the ignoreip
directive to allow all time and prevent from ban. Here, you can add your local IP addresses and other system address which you want to whitelist.
You should uncomment the line starting with ignoreip
and add your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 222.222.222.222 192.168.55.0/24
Ban Settings
The values of bantime
, findtime
, and maxretry
options define the ban time and ban conditions.
The bantime
is the duration for which the IP is banned. The default value for bantime
is 10
minutes and if there is no suffix specified then it will consider seconds. If you would like to change the longer time then just change the value like below:
bantime = 1d
For ban permanently use the negative number.
The findtime
the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry
), those failures must occur within the findtime
duration.
findtime = 10m
Option maxretry
is the number of failures, then it will be banned. The default value for the maxretry
is 5
and it’s fine for most of users.
maxretry = 5
Conclusion
In this tutorial you learned how to install and configure Fail2Ban on Ubuntu 22.04 system. To learn more about Fail2Ban, visit Fail2ban documentation.
If you have any questions or suggestion, please leave a comment below.