How to Install and Configure Fail2Ban on Ubuntu?

Protecting your server from a Brute Force Attack on the internet is vital for which you can use proper tools. In a Brute Force Attack, the attacker can send multiple queries to your server. 

To mitigate the Brute Force Attack, you can install and configure Fail2Ban on your Ubuntu server.

What is Brute Force Attack?

In a Brute Force Attack scenario, the attacker sends multiple login requests to your website using their database's username and password combination. The attack continues until the exact username and password match; this will also raise the I/O of your website and make it slow. 

Your web server will receive the logs of each request in a log file with the sender's IP Address. It is a tough task to find all the culprit IP addresses and block your Firewall. Instead, we can prevent the Brute Force Attack with the automation in Fail2Ban.

Install Fail2Ban on Ubuntu 

It is simple to install Fail2Ban on Ubuntu, for which you can refer to the following steps – 

1. Update Ubuntu repositories and packages with newer versions.

# sudo apt-get update
# sudo apt-get upgrade -y

2. Execute the below-given command to install Fail2Ban on your Ubuntu – 

# sudo apt-get install fail2ban -y

3. Once it is installed, execute the command given below to allow connection to Port 22 (SSH) and enable the Firewall on the server – 

# sudo ufw allow ssh
# sudo ufw enable

You will need to allow SSH; otherwise, you will not be able to log in using SSH if it is not enabled.

4. Now the installation process is complete, let us move toward the configuration of Fail2Ban.

Configure Fail2Ban on Ubuntu

1. Here, we will create a new configuration file for the Fail2Ban inside /etc/fail2ban.
Execute the command given below to create a configuration file in Fail2Ban – 

# sudo nano /etc/fail2ban/jail.local

2. Paste the below-given content inside the jail.local configuration file – 

# [DEFAULT] ignoreip = ::1

bantime = 3600

findtime = 600

maxretry = 5

[sshd] enabled = true

3. Here is the understanding of each configuration we have set in jail.local file.

  • ignoreip: Enter the IP addresses that we do not want to ban. Here, we have entered the Localhost IP Addresses in IPv4 and IPv6 formats. It means that Fail2Ban will not ban the server itself from logging in.

  • bantime: It is real-time in seconds for which the blocked IP address will not be able to log in. Once the IP Address is blocked, you cannot log in again for 3600 seconds.

  • findtime: findtime is a time frame in which counting will happen. In this case, the findtime is 600 seconds or 10 minutes. So, if someone fails to login in X times in 10 minutes, Fail2Ban will block the IP Address.

  • maxretry : maxretry is the number of failed login attempts. In this case, it is 5. It means that after five failed tries, Fail2Ban will block the IP Address.

4. Save the configuration file and restart the Fail2Ban service.

As per the above configuration, if there are five failed login attempts within 10 minutes, Fail2Ban will block that IP Address for 3600 seconds (1 hour).

5. Restart the Fail2Ban service to save and update changes made to the configuration file.

# sudo service fail2ban restart

This is how you can use Fail2Ban to protect your server from brute-force attacks.


Was this answer helpful?

« Back