How To Install Fail2ban On Ubuntu 14.04

fail2ban

Introduction

The internet is full of automated programs that attempt to break into unsecure servers. Because of this, you might have seen hundreds or thousands of failed login attempts in your system’s auth.log or from when you login to your server. Thankfully there is an easy way to put a stop to these brute force attempts. Fail2ban is a piece of software that works with your firewall to stop these attacks in their place. It monitors SSH for failed login attempts and then when the number from a specific IP passes the limit you have set, it blocks the IP in the system firewall.

Installing Fail2ban

Ubuntu 14.04 makes it very easy to install fail2ban. There is install package available right in the default repos. To install it simply run:

apt-get update
apt-get install fail2ban -y

That is all that is actually required to install the program, but it still must be configured.

Basic Configuration

Out of the box fail2ban is setup to block failed ssh login attempts only, though it is possible to configure it to block for other applications as well. Those will be talked about in a different guide.

Fail2ban stores its configuration in the /etc/fail2ban directory. There you will find a file that contains the default configuration called jail.conf. It is possible that this file may be overwritten if the fail2ban package if ever updated, so it is a good idea for us to copy the configuration file to one that will not change.

To do so run the command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now it is time for us to edit the file’s configuration

nano /etc/fail2ban/jail.local

Near the top you will find a section labeled as [DEFAULT]. The settings defined here will be applied to all services that are not specifically overwritten in the service’s own section.

A few common settings to change:

ignoreip = 127.0.0.0/8

This will make it so that any traffic coming locally from the server is not blocked. You can add additional addresses to be ignored by appending them to the end, separated by a space.

findtime = 600
maxtries = 3

These two options define how it will be determined if the person attempting to login is an attacker. findtime is the amount of time ,in seconds, that is considered a window of time. maxtries is the number of failed attempts that are allowed within the defined window. In this case, if a person fails to login 3 times within 10 minutes they will be blocked.

bantime = 600

This value defines the amount of time, in seconds, that a client is banned for after failing to login. By default it is set for 10 minutes.

Finishing Up

Once you have made the changes to the configuration file that you want, save the file and close it with the buttons: ctrl+ o and then ctrl + x.

To enable enable the changes and then start the service run the command:

service fail2ban stop
service fail2ban start

There are many more powerful things that can be configured in fail2ban, but the basics in this guide should help secure your server from ssh brute force attacks.

 

CC BY 4.0 This work is licensed under a Creative Commons Attribution 4.0 International License.

Alex Wacker has written 16 articles

I am the founder and owner of Subnet Labs LLC. Impact VPS is one of our VPS brands. Linux, virtualizaton and the internet amaze me and I enjoy learning new things every day about them.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>