Install Fail2ban on Ubuntu Server 18.04

Add an intrusion detection system on Ubuntu for more security.

By
Jack Wallen
Jack Wallen
Writer
Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert.
our editorial process
Jack Wallen
Updated March 23, 2020

Improve Ubuntu Server's security through the addition of an intrusion detection system. For that, you will likely want to turn to Fail2ban. Fail2ban monitors specific log files (found within the /var/log directory) for failed login attempts or automated attacks. When Fail2ban detects an attempted compromise from an IP address, it blocks the IP address (by adding a new chain to the iptables security system) from gaining entry to the server.

To install Fail2ban, you need shell access on any supported version of Ubuntu Server, with an account that has sudo privileges allowing for the installation of new software packages.

rv-locks
Irakli/Abashidze/EyeEm / Getty Images

How to Install Fail2ban

Install Fail2ban using Apt. It's best to perform the installation on a freshly updated server platform, and if the kernel version updates, reboot the server before you install Fail2ban.

After the installation completes, start and enable Fail2ban with the following two commands:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Fail2ban is now running on the system and is ready to be configured.

Configure Fail2ban

Fail2ban is configured using jails. A jail defines how a service monitors and how quickly to take action against attacks.

Out of the box, the system is already secure. However, it is also highly flexible. The main configuration file is /etc/fail2ban/jail.conf. Don't edit that file. Instead, create a new file with the .local file extension. Fail2ban always reads .conf files first and .local files second. Any configuration read in the .local file will override similar configurations in the .conf file.

Example Configuration

Let's say you want to create a custom jail for the Secure Shell daemon that will:

  • Monitor /var/log/auth.log.
  • Use the default fail2ban sshd filter.
  • Set the SSH port to 22.
  • Set the maximum retry to 3.

The ssh customizations in the .local jail will override any similar configuration found in the main configuration file, jail.conf (for instance, the default maximum retry in jail.conf is set to 5). With this jail in place, if a person (or bot) fails an SSH login attempt three times, the originating IP address will be banned.

To configure this, issue the command:

sudo nano /etc/fail2ban/jail.local

In this new file, paste the following contents:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Save and close the file, then restart Fail2ban with the command:

sudo systemctl restart fail2ban

Test Fail2ban

To test Fail2ban, go to another machine with a different IP address and initiate a Secure Shell session into the server, each time typing the user password incorrectly. After the third failed login, that user account becomes banned.

Screenshot of Fail2ban blocking an IP address.

Even if you attempt to SSH back into the server from the same IP address, access is still denied.

Unblock an IP Address

Un-ban an IP with the fail2ban-client command (which is installed along with fail2ban) like so:

sudo fail2ban-client set sshd unbanip 192.168.1.100