Fail2Ban is a package that sets up a service to monitor a server’s logs for inconsistencies and warnings consistent with malicious attempts to access the server. Once detected, Fail2Ban takes action by adding the offending IP address to the firewall’s blocking rules. This adds an extra layer of security over your regular authentication methods by stopping repeated attempts from the same actor. This means Fail2Ban should be used as a supplementary tool, not a replacement for your firewall or any other component of your security profile.
Fail2Ban is available through the default apt repositories. Therefore, installation is simple, and just like any other package.
apt-get install fail2ban
Fail2Ban can also be configured to send reports of malicious activity and IP rules added via email. This is completely optional, but if you wish to take advantage of this feature, you will want to ensure sendmail is also installed to handle the email function.
apt-get install sendmail
Fail2Ban gets its directions from two files. These are generally /etc/fail2ban/fail2ban.conf and /etc/fail2ban/fail2ban.local . Fail2Ban reads from the .conf file first, and then applies any overrides it reads from .local. It is good practice to leave the .config file as-is and make any changes you want to the .local file. This allows you to customize Fail2Ban without losing the default configuration should it be needed in the future.
To begin then, make sure the installation created a .local file. If this file is not present, you can simply make a copy of the .conf file to create it like the example below:
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Once created, open the .local file in your preferred text editor. In the config file, the most commonly configured options are near the top. You can set the log level to a different value to increase or decrease the verbosity of the logs generated by Fail2Ban. More verbosity will mean more detailed information which may be helpful if an issue needs to be debugged. Just remember: setting this value higher generates a much larger number of log entries and thus a larger log file. Decreasing the verbosity does the opposite.
‘logtarget’ determines where Fail2Ban sends logs. By default this is set to /var/log/fail2ban.log and wouldn’t typically need to be modified. The socket and pid files are also denoted here.
Setting up your jail.local
Fail2Ban is now installed successfully. However, in order to start monitoring services you will want to set up your jail configuration file. In Fail2Ban a ‘jail’ is simply the rules Fail2Ban should enforce for a service, and what to do to an actor that breaks those rules. In the jail configuration file, there should be a jail section for each service Fail2Ban can monitor.
For Ubuntu, only the SSH module of Fail2Ban is enabled by default. If you wish for Fail2Ban to monitor other services such as HTTP or FTP, you will need to create a jail.local file similar to how we created the .local file for the main configuration.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Once created, simply edit with your preferred text editor again. You will want to make sure the field and value ‘enabled = true’ is present for any services you wish to monitor. Additionally, while it should be set by default, you should ensure the ban action for a specific jail is set to UFW to ensure Fail2Ban adds a firewall rule to the appropriate service. Finally, double check and edit the port if you are using something other than the default port for a given service.
Once you have any individual jails configured for a service, you’ll want to check the default jail configuration. This should be located near the top of the file. Things that should warrant attention here are the whitelist ip section and the ban parameters sections. Whitelisting an IP tells Fail2Ban to ignore it even if it falls into the regular ban parameters. Be sure to add IP addresses from which you expect to access the server. You can configure these by adding the IP’s to the ignoreip parameter in jail.local. Multiple entries should be separated by a space. IP address spaces can also be configured here using the x.x.x.x/x format. An example with a range and multiple entries to demonstrate this:
ignoreip = 127.0.0.1/8 184.108.40.206
Other important variables worth setting: bantime, findtime, and maxretry. bantime specifies how long an IP should be banned for and is set to 600 seconds or 10 minutes by default. Specifying a negative number will tell Fail2Ban to ban an IP indefinitely. findtime determines the amount of time that failures must fall in to count up to the maxretry, which in turn is the maximum number of failures that can occur within the findtime duration. In the default, findtime is set to 10 minutes, with maxretry set to 3. This means if an IP fails to authenticate to the server 3 times within 10 minutes of the first attempt, Fail2Ban will then ban that IP.
(Optional) Configure the email section to receive reports from Fail2Ban
If you wish to receive email reports from Fail2Ban, make sure you have installed sendmail as described earlier. You will also want to configure some additional fields inside jail.local. Of interest are the destemail and sender fields. destemail determines the email address Fail2Ban will send reports to, while sender denotes what Fail2Ban will use as its sender email address.
Start/Restart the Fail2Ban service
Once you have finished your configuration preferences, save and exit your text editor. Now you will want to ensure Fail2Ban is running under the new configuration parameters. Ubuntu automatically starts the Fail2Ban service on first install, so it is best to simply restart it.
sudo /etc/init.d/fail2ban restart
That’s it! You have added an extra layer of security to your devices. If you wish you can test the service by intentionally failing a few login attempts and checking the fail2ban.log file to see if your IP was flagged. If you lock yourself out intentionally or on accident, you can log into the server via the webconsole to remove your IP from the ban list and firewall rules. You may also then consider adding your IP to the whitelist.