How to Install and Configure Fail2ban on Ubuntu Server 16.04

Posted on by Noti Peppas | Updated:
Reading Time: 5 minutes

Have you ever logged into your server and seen a message like this?

Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
 There were 942 failed login attempts since the last successful login.
 Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101

What happened here?

Fail2ban

This message is informing me that while I was logged out, there were 942 failed attempts to access my server via SSH! This type of message is a strong indicator that my server was probably under a “brute force” attack. In this type of scenario, an attacker will attempt to randomly guess passwords repeatedly until they get lucky with the correct password. This is one reason why usinga secure password is so important! 

Fear not, Fail2ban can be a fantastic tool for dynamically thwarting these types of brute force attacks. This tutorial will walk you through installing and configuring Fail2ban to help protect sshd from brute force attacks. Let’s dig in!

Note:
The remainder of this tutorial requires you to have root privileges. Start by either logging in as root or prefix these commands with sudo.

Installing Fail2ban

Installing Fail2ban on Ubuntu VPS Server is simple. Run the following two commands to install the program:

apt-get update
apt-get install fail2ban -y

We will start the service, so it is running.

service fail2ban restart

Finally, we check to make sure Fail2ban is running after the restart:

service fail2ban status

The output should display active (running) which indicates the service is up and we’re ready to proceed to configuration.

Configuring Fail2ban

Now that Fail2ban is installed and running, we can define custom rules for what services it protects, and how to handle violations.

First, create a configuration file for Fail2ban. This file doesn’t exist by default, but Fail2ban will look for this file and read the contents if it exists:

touch /etc/fail2ban/jail.local

Now we’ll open the configuration file for editing. We’re using vi as our text editor in this example, but feel free to use nano or whatever text editor you are most comfortable with. (Related: check out our helpful tutorial if you need to brush up on how to use vi.) Run the following command to open the file for editing:

vi /etc/fail2ban/jail.local

Paste in the following contents, and save the file:

[DEFAULT]
 ignoreip = 127.0.0.1/8 ::1
 bantime = 3600
 findtime = 600
 maxretry = 5
 [sshd]
 enabled = true

Let’s review the options we just set. First, we are telling Fail2ban to ignore IP addresses 127.0.0.1 and ::1. These are the IPv4 and IPv6 addresses for localhost, respectively. For the remaining lines, it is important to understand Fail2ban reads time as seconds in the configuration file. These rules will ban IP addresses for one hour {bantime = 3600}, if they make 5 mistakes {maxretry = 5}, within 10 minutes {findtime = 600}. Finally, we enabled the jail for sshd. Feel free to adjust these numbers to your liking, but please consider the following:

Note:
Setting a ban time of -1 will result in a permanent ban on that IP address. You may need to contact Liquid Web support if you accidentally block yourself from your server. Consider these options carefully!

Now that we have created a configuration to use, restart Fail2ban so that our new rules are read and utilized:

service fail2ban restart

We will also double check to make sure Fail2ban is running after the restart:

service fail2ban status
Note:
If Fail2ban does not start successfully after creating your configuration file, it is possible you have a typo in the configuration file /etc/fail2ban/jail.local. Check the file contents and try again!

Fail2ban Usage

At this point, you have successfully installed and configured Fail2ban, congratulations! For the remainder of this tutorial, we will show you how to use the program and how to manage IP blocks.

Run the following command to check the status of Fail2ban:

fail2ban-client status

Example output shows you the number of currently configured jails. Right now we have only created a jail for sshd:

Status
 |- Number of jail:    1
 `- Jail list:    sshd

We can also poll the detailed status of individual jails. This command will check the status of the sshd jail we just configured:

fail2ban-client status sshd

Example output shows no IPs blocked, looks good!

Status for the jail: sshd
 |- Filter
 |  |- Currently failed:    0
 |  |- Total failed:    0
 |  `- File list:                 /var/log/auth.log
 `- Actions
 |- Currently banned:    0
 |- Total banned:    0
 `- Banned IP list:

Now, for example, I’m going to fail five attempts to SSH to my server. After the fifth failed attempt, my IP should be automatically blocked! The following shows the output from my workstation when I try to SSH to the server after the fifth failed attempt:

ssh root@192.168.0.101
 ssh: connect to host 192.168.0.101 port 22: Connection refused

The “connection refused” message indicates that the server’s firewall is now blocking us.

Back on the server, let’s again check the status of the SSH jail by running:

fail2ban-client status sshd

The output shows that my IP has indeed been blocked! Looking at the status, we can see my workstation’s IP address has been added to the “Banned IP list”.

Status for the jail: sshd
 |- Filter
 |  |- Currently failed:    1
 |  |- Total failed:    1
 |  `- File list:                 /var/log/auth.log
 `- Actions
 |- Currently banned:    1
 |- Total banned:    1
 `- Banned IP list:    192.168.0.102

Finally, we will demonstrate how to remove a banned IP. This is helpful if you have clients that accidentally block themselves from incorrect password attempts. The syntax for this command is as follows:

fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS>

For example, this command will delist 192.168.0.102 from the sshd jail.

fail2ban-client  set sshd unbanip 192.168.0.102

Let’s double check our work and make sure my IP address has been successfully unblocked:

fail2ban-client status sshd
Status for the jail: sshd
 |- Filter
 |  |- Currently failed:    1
 |  |- Total failed:    6
 |  `- File list:                 /var/log/auth.log
 `- Actions
 |- Currently banned:    0
 |- Total banned:    1
 `- Banned IP list:

That wraps it up for this tutorial! We only discussed protecting sshd in this tutorial, but Fail2ban can be used to help protect all kinds of other services such as httpd. We encourage you to do some further reading and see what it is capable of! Just remember that while Fail2ban is awesome, it is not a replacement for a strong set of firewall rules. When properly configured, however, Fail2ban is a great tool to help further harden your server’s security. Have fun and happy IP blocking!

The Most Helpful Humans In Hosting™

We pride ourselves on being The Most Helpful Humans In Hosting™! Our support staff is always available to assist with any Dedicated, Cloud, or VPS server issues 24 hours a day, 7 days a week 365 days a year.

We are available, via our ticketing systems at support@liquidweb.com, by phone (at 800-580-4986) or via a LiveChat for whatever method you prefer. We work hard for you so you can relax.

Avatar for Noti Peppas

About the Author: Noti Peppas

As a regular contributor to Knowledge Base center, Noti Peppas offers up how-to articles on Ubuntu, CentOS, Fedora and much more!

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article