What is Fail2ban?

Fail2ban is a software written in Python which help us to prevent brute force or DDoS attacks. It uses the failed access attempts logged in the system to detect the malicious IP addresses. Then, these IP addresses are blocked to avoid more attempts. It’s a software highly recommended to have installed in any system exposed to The Internet.

How does Fail2ban work?

Fail2ban is as a daemon which is monitoring every access to the system to the different services which have open ports (Mainly SSH, HTTPS…). It monitors the number of access attemps from a single IP address, and when Fail2ban detects the number of attemps which are suspicios to be an attack. Once identified a possible attacker Fail2ban uses the system Firewall (Iptables in Linux systesms) to block the IP address. From that moment that IP address will not be allowed to access the system.

Install Fail2ban

To install Fail2ban in a Debian based system (such us Ubuntu) just execute next command in your terminal:

sudo apt install fail2ban

Check installation

To check if the application has been sucessfully installed, just type this command:

fail2ban-client -h

Which should return the help information of Fail2ban.

Also you could check the version of the installed Fail2ban…

sudo fail2ban-client -V

Start Fail2ban

Now we can start the application.

sudo service fail2ban start

Configure Fail2ban

General configuration

Fail2ban includes a default configuration file named jail.conf, but it is recommended not to edit this file. Instead copy it to another file (jail.local), in which we could do any modification needed.

cd /etc/fail2ban
sudo cp jail.conf jail.local

In our case, we are not going to change anything.

Jails

Next step is to configure the jails. In my case as I am using a Debian based system, I have the file /etc/fail2ban/jail.d/defaults-debian.conf created by default with this configuration:

[sshd]
enabled = true

This means that I have enabled the sshd jail. This jail has the defaults configuration parameters. We can see the values with these commands.

Default Parameters

Bantime

The period of time the IP address is blocked (or banned).

sudo fail2ban-client get sshd bantime
600
Findtime

The period of time in which Fail2ban searchs attemps.

sudo fail2ban-client get sshd findtime
600
Maxretry

The number or attempts needed to perform the block action within findtime seconds (600).

sudo fail2ban-client get sshd maxretry
5

Change the jail parameters

The previous default parameters could be good for you, but in my case for the sshd jail I prefer to change them. For this jail, I am going to set these parameters in the jail config file (/etc/fail2ban/jail.d/defaults-debian.conf).

  • bantime: 24 hours
  • findtime: 30 seconds
  • maxretry: 1

so I edit the file /etc/fail2ban/jail.d/defaults-debian.conf with them. I am also going to change the action defined to get an e-mail each time an IP address is banned.

[sshd]
enabled = true
bantime = 24h
findtime = 30
maxretry = 1

action = %(action_mwl)s

Test the jail configuration

Fail2ban has a command to validate the jails configuration done. For the validation you have to use this command:

sudo fail2ban-client --test

Reload

Once the validation has been done, we can reload the service to load the configuration changes.

sudo service fail2ban reload

Check Fail2ban status

To check the status of the service you can use this command:

sudo fail2ban-client status

And to get the status of the jail:

sudo fail2ban-client status sshd

Check Fail2ban banned IPs

In the previous check you could have seen the banned IPs in the firewall application. With this command you’ll see the IP banned with the REJECT value in the table.

sudo iptables -L -n -v --line-numbers

Enable at boot

Finally, by default Fail2ban is not started at boot. To enable it:

sudo systemctl enable fail2ban

Conclusion

When Fail2ban is installed, we have an extra layer of security to avoid a system being attacked. It’s highly recommended to have a solution like this in any system exposed to The Internet.

Now, I recommend you to check how to integrate AbuseIPDB with Fail2ban.