How To Linux Install Fail2ban on Ubuntu Server 18.04 Add an intrusion detection system on Ubuntu for more security. Share Pin Email Print Irakli / Abashidze / EyeEm / Getty Images Linux Installing & Upgrading Basics Guides & Tutorials Tips & Tricks Commands Key Concepts by Jack Wallen Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert. Updated October 28, 2019 Improve Ubuntu Server’s security through the addition of an intrusion detection system. For that, you will likely want to turn to Fail2ban. Fail2ban monitors specific log files (found within the /var/log directory) for failed login attempts or automated attacks. When Fail2ban detects an attempted compromise from an IP address, it then blocks the IP address (by adding a new chain to the iptables security system) from gaining entry to the server. To install Fail2ban, you'll need shell access on any supported version of Ubuntu Server, with an account that enjoys sudo privileges allowing for the installation of new software packages. How to Install Fail2ban Install Fail2ban using Apt. It's best to perform the installation on a freshly updated server platform, and if the kernel version updates, reboot the server before you install Fail2ban. After the installation completes, start and enable Fail2ban with the following two commands: sudo systemctl start fail2bansudo systemctl enable fail2ban Fail2ban is now running on the system and is ready to be configured. Configuring Fail2ban Fail2ban is configured using jails. A jail defines how a service monitors and how quickly to take action against attacks. Out of the box, the system is already pretty secure. However, it is also highly flexible. The main configuration file is /etc/fail2ban/jail.conf. Do not edit that file. Instead, create a new file with the .local file extension. Fail2ban always reads .conf files first and .local files second. Any configuration read in the .local file will override similar configurations in the .conf file. Example Configuration Let’s say you want to create a custom jail for the Secure Shell daemon that will: Monitor /var/log/auth.logUse the default fail2ban sshd filterSet the SSH port to 22Set the maximum retry to 3 The ssh customizations in the .local jail will override any similar configuration found within the main configuration file, jail.conf (for instance, the default maximum retry in jail.conf is set to 5). With this jail in place, if a person (or bot) fails an SSH login attempt three times, the originating IP address will be banned. To configure this, issue the command: sudo nano /etc/fail2ban/jail.local In this new file, paste the following contents: [sshd]enabled = trueport = 22filter = sshdlogpath = /var/log/auth.logmaxretry = 3 Save and close the file then restart Fail2ban with the command: sudo systemctl restart fail2ban Testing Fail2ban To test Fail2ban, go to another machine with a different IP address and initaiate a Secure Shell session into the server, each time typing the user password incorrectly. After the third failed login, that user account becomes banned. Even if you attempt to SSH back into the server from the same IP address, access still denies. Unblocking an IP Address Un-ban an IP with the fail2ban-client command (which is installed along with fail2ban) like so: sudo fail2ban-client set sshd unbanip 192.168.1.100 Continue Reading