Software & Apps Linux Install Fail2ban on Ubuntu Server 18.04 Add an intrusion detection system on Ubuntu for more security. by Jack Wallen Writer Jack Wallen is a former Lifewire writer, an award-winning writer for TechRepublic and Linux.com, and the voice of The Android Expert. our editorial process LinkedIn Jack Wallen Updated on March 23, 2020 Tweet Share Email Linux Switching from Windows Improve Ubuntu Server's security through the addition of an intrusion detection system. For that, you will likely want to turn to Fail2ban. Fail2ban monitors specific log files (found within the /var/log directory) for failed login attempts or automated attacks. When Fail2ban detects an attempted compromise from an IP address, it blocks the IP address (by adding a new chain to the iptables security system) from gaining entry to the server. To install Fail2ban, you need shell access on any supported version of Ubuntu Server, with an account that has sudo privileges allowing for the installation of new software packages. Irakli/Abashidze/EyeEm / Getty Images How to Install Fail2ban Install Fail2ban using Apt. It's best to perform the installation on a freshly updated server platform, and if the kernel version updates, reboot the server before you install Fail2ban. After the installation completes, start and enable Fail2ban with the following two commands: sudo systemctl start fail2bansudo systemctl enable fail2ban Fail2ban is now running on the system and is ready to be configured. Configure Fail2ban Fail2ban is configured using jails. A jail defines how a service monitors and how quickly to take action against attacks. Out of the box, the system is already secure. However, it is also highly flexible. The main configuration file is /etc/fail2ban/jail.conf. Don't edit that file. Instead, create a new file with the .local file extension. Fail2ban always reads .conf files first and .local files second. Any configuration read in the .local file will override similar configurations in the .conf file. Example Configuration Let's say you want to create a custom jail for the Secure Shell daemon that will: Monitor /var/log/auth.log. Use the default fail2ban sshd filter. Set the SSH port to 22. Set the maximum retry to 3. The ssh customizations in the .local jail will override any similar configuration found in the main configuration file, jail.conf (for instance, the default maximum retry in jail.conf is set to 5). With this jail in place, if a person (or bot) fails an SSH login attempt three times, the originating IP address will be banned. To configure this, issue the command: sudo nano /etc/fail2ban/jail.local In this new file, paste the following contents: [sshd]enabled = trueport = 22filter = sshdlogpath = /var/log/auth.logmaxretry = 3 Save and close the file, then restart Fail2ban with the command: sudo systemctl restart fail2ban Test Fail2ban To test Fail2ban, go to another machine with a different IP address and initiate a Secure Shell session into the server, each time typing the user password incorrectly. After the third failed login, that user account becomes banned. Even if you attempt to SSH back into the server from the same IP address, access is still denied. Unblock an IP Address Un-ban an IP with the fail2ban-client command (which is installed along with fail2ban) like so: sudo fail2ban-client set sshd unbanip 192.168.1.100 Was this page helpful? Thanks for letting us know! Get the Latest Tech News Delivered Every Day Email Address Sign up There was an error. Please try again. You're in! Thanks for signing up. There was an error. Please try again. Thank you for signing up. Tell us why! Other Not enough details Hard to understand Submit