Install Fail2ban on Ubuntu Server 18.04

The Ubuntu Server is highly-regarded on so many levels. Although it might not be as secure out of the box as is, say, CentOS, it can, with a few additions, rise to that particular occasion.

One step you can take to help improve Ubuntu Server’s security is the addition of an intrusion detection system. For that, you will likely want to turn to Fail2ban. Fail2ban monitors specific log files (found within the /var/log directory) for failed login attempts or automated attacks. When Fail2ban detects an attempted compromise from an IP address, it then blocks the IP address (by adding a new chain to the iptables security system) from gaining entry (or attempting to further attack) the server. Let’s install Fail2ban on the Ubuntu Server 18.04 platform.

All you need to successfully install Fail2ban is a running instance of Ubuntu Server 18.04 and a user account with sudo privileges. Both the installation and configuration of Fail2ban are done via command line, so prepare to type.

The installation of Fail2ban is very simple. However, before we install the package, let’s first update and upgrade Ubuntu. Do note, if this process upgrades the kernel, you’ll need to restart the server (so the changes will take effect). Because of this, make sure to run the update/upgrade process at a time when a reboot is possible.

To update and upgrade Ubuntu Server, open a terminal and issue the following commands:

sudo apt-get update
sudo apt-get upgrade -y

Once the upgrade completes, reboot the server (if necessary) and install Fail2ban.

Now it’s time to install Fail2ban. This can be done with a single command. At the terminal window, issue:

sudo apt-get install -y fail2ban

The above command will install everything needed to run and manage Fail2ban (including the fail2ban-client command, which is necessary for unbanning IP addresses - more on that in a bit). Once the installation completes, you’ll need to start and enable Fail2ban with the following two commands:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Fail2ban is now running on the system and is ready to be configured.

Fail2ban is configured using jails. A jail allows you to define how a service will be monitored and how quickly to take action against attacks. There are quite a lot of options that can be configured for each jail, but we’re going to start out small.

Out of the box, the system is already pretty secure. However, it is also highly flexible. The main configuration file is /etc/fail2ban/jail.conf. You do not want to edit that file. Instead, you’ll create a new file with the .local file extension. Fail2ban always reads .conf files first and .local files second. Any configuration read in the .local file will override similar configurations in the .conf file. Let’s say you want to create a custom jail for the Secure Shell daemon that will:

• Monitor /var/log/auth.log
• Use the default fail2ban sshd filter
• Set the SSH port to 22
• Set the maximum retry to 3

The ssh customizations in the .local jail will override any similar configuration found within the main configuration file, jail.conf (for instance, the default maximum retry in jail.conf is set to 5). With this jail in place, if a person (or bot) fails an SSH login attempt three times, the originating IP address will be banned.

To configure this, issue the command:

sudo nano /etc/fail2ban/jail.local

In this new file, paste the following contents:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Save and close the file by simultaneously hitting the Ctrl+X keys on your keyboard. With that file saved, restart Fail2ban with the command:

sudo systemctl restart fail2ban

To test Fail2ban, go to another machine and attempt to Secure Shell into the server, each time typing the user password incorrectly. After the third failed login, the user will be banned. You can attempt to SSH back into the server from the same IP address, but you will be denied access. Congratulations, your new Fail2ban jail is working.

So you now have Fail2ban working and you’ve successfully tested the SSH jail. Unfortunately, the machine you just tested the jail with is now blocked. What do you do? Fortunately, the developers thought of that and included the means to easily unblock an IP address. Say the IP address you used to test Fail2ban was 192.168.1.100, and you need to still be able to use that address to gain access to the server. You can unban that IP with the fail2ban-client command (which is installed along with fail2ban) like so:

sudo fail2ban-client set sshd unbanip 192.168.1.100

After issuing the above command, you should now be able to Secure Shell back into the server running Fail2ban.