Use fail2ban on Ubuntu
Last updated on: 2020-08-19
Authored by: John Garcia
This article describes how to install the Fail2Ban service on Ubuntu 20.04.
What is Fail2Ban?
Fail2Ban is intrusion prevention software that you can use to protect servers from malicious threats such as brute-force attacks.
Before you install Fail2Ban, it is good practice always to ensure your server is up to date. Execute the following command to update the current versions of packages installed on your server:
root@server-01:~# sudo apt-get upgrade
Note: The preceding command provides a summary of packages to be upgraded and prompts you with the required additional space for the installation. Type “y” to continue with the upgrade.
Execute the following command to begin the installation:
root@server-01:~# sudo apt-get install fail2ban
Note: At the additional space prompt, type “y” to continue with the upgrade.
Verify that Fail2Ban is installed and running with the following command:
root@server-01:~# sudo systemctl status fail2ban fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset> Active: active (running) since Fri 2020-07-31 00:23:21 UTC; 42min ago
If Fail2ban is not running at any time, you can start it with the following command:
root@server-01:~# sudo systemctl start fail2ban
Set Fail2Ban to start at boot with the following command:
root@server-01:~# sudo systemctl enable fail2ban Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable fail2ban
You should not update the Fail2Ban default configuration files, fail2ban.conf and jail.conf. Instead, create new empty files fail2ban.local and jail.local, or copy the .conf files to create the .local files.
You can copy the existing .conf file to create the .local file with the following command:
root@server-01:~# sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Make any Fail2Ban configuration changes to only the .local files using your favorite text editor. The following examples are commonly configured items:
- ignoreip: Specified addresses that are not be banned by criteria.
- bantime: Specified length of time that ban lasts.
- maxretry: Specified number of login failures, before being banned.
Numerous other fields are configurable, and you can find those descriptions within the .local file.
The following example shows a basic ban setting from within the jail.local file and sets the
bantime to 10 minutes and
maxretry to three attempts.
# "bantime" is the number of seconds that a host is banned. bantime = 10m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = 3
The following example shows three unsuccessful login attempts and the resulting IP address ban.
[user@test ~]$ ssh firstname.lastname@example.org email@example.com's password: Permission denied, please try again. firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password: Permission denied (publickey,password). [user@test ~]$ ssh firstname.lastname@example.org ssh: connect to host 220.127.116.11 port 22: Connection refused