How to Install and Configure Fail2ban on Ubuntu? Print

  • 0

You require to protect your server from a Brute force attack from the internet. You can do it with proper tools. In Brute Force attack, the attacker can send multiple queries to your server. In order to mitigate the Bruteforce attack, you can install and Configure Fail2Ban on your Ubuntu server.

What is Bruteforce Attack?

Attacker sends Multiple login requests to your website using their database's username and password combination. Attack will be continued until the exact username and password match. This will also raise the I/O of your website and make it slow. If this continues this means your website is getting the Brute Force attack.

Your web server will receive the logs of each request in a log file with the sender's IP Address. It is a very hard task to find all the culprit IP addresses and block in your Firewall. Instead of this, we can prevent the Brute Force Attack with the automation in Fail2Ban.

Install Fail2Ban on Ubuntu :

It is very easy to install Fail2Ban on Ubuntu. You can refer to the following steps to install Fail2Ban on Ubuntu.

  1. Update Ubuntu repositories and packages with newer versions.

    # sudo apt-get update
    # sudo apt-get upgrade -y
  2. Execute the below command to install Fail2Ban on your Ubuntu.

    # sudo apt-get install fail2ban -y
  3. Once it is installed, execute the below command to allow connection to port 22(SSH) and enable the firewall on the server. You will need to allow ssh without fail. You will not be able to login using SSH if it is not enabled.

    # sudo ufw allow ssh 
    # sudo ufw enable
  4. Installation process is completed. Let us move towards the Configuration part.

Configure Fail2Ban on Ubuntu :

  1. Here, we will create a new configuration file for the Fail2Ban inside /etc/fail2ban. Execute the below command to create configuration file in Fail2Ban.

    # sudo nano /etc/fail2ban/jail.local
  2. Paste the below content inside jail.local confiration file.

    # [DEFAULT] ignoreip = ::1
    bantime = 3600
    findtime = 600
    maxretry = 5
    [sshd] enabled = true
  3. Here , is the understanding of each configuration which we have set in jail.local file.
  • ignoreip: Enter the IP addresses that we do not want to ban. Here, we have entered the Localhost IP addresses in IPv4 and IPv6 formats. It means that Fail2Ban will not ban the server itself from logging in.

  • bantime: It is real-time in seconds for which the blocked IP address will not be able to login. Once the IP address is blocked, you cannot log in again for 3600 seconds.

  • findtime: findtime is a time frame in which counting will happen. In this case, the findtime is 600 seconds or 10 minutes. So, If someone fails to login for X times in 10 minutes, Fail2Ban will block the IP address.

  • maxretry : max retry is a number of failed login attempts. In this case, It is 5. It means that after 5 failed tries, Fail2Ban will block the IP address.

  1. Save the configuration file and restart the Fail2Ban service.

As per the above configuration, if there is 5 failed login within 10 minutes, Fail2Ban will block that IP Address for 3600 seconds means 1 hour.

Restart the Fail2Ban service to save and update changes made to the configuration file.

# sudo service fail2ban restart

SSH service of your server is protected with the Fail2Ban. This is how you can use Fail2Ban to protect your server from the BruteForce attack.

Was this answer helpful?

« Back
Sign up for a newsletter