What is Fail2ban?
Fail2ban is a software written in Python which help us to prevent brute force or DDoS attacks. It uses the failed access attempts logged in the system to detect the malicious IP addresses. Then, these IP addresses are blocked to avoid more attempts. It’s a software highly recommended to have installed in any system exposed to The Internet.
How does Fail2ban work?
Fail2ban is as a daemon which is monitoring every access to the system to the different services which have open ports (Mainly SSH, HTTPS…). It monitors the number of access attemps from a single IP address, and when Fail2ban detects the number of attemps which are suspicios to be an attack. Once identified a possible attacker Fail2ban uses the system Firewall (Iptables in Linux systesms) to block the IP address. From that moment that IP address will not be allowed to access the system.
To install Fail2ban in a Debian based system (such us Ubuntu) just execute next command in your terminal:
sudo apt install fail2ban
To check if the application has been sucessfully installed, just type this command:
Which should return the help information of Fail2ban.
Also you could check the version of the installed Fail2ban…
sudo fail2ban-client -V
Now we can start the application.
sudo service fail2ban start
Fail2ban includes a default configuration file named
jail.conf, but it is recommended not to edit this file. Instead copy it to another file (
jail.local), in which we could do any modification needed.
sudo cp jail.conf jail.local
In our case, we are not going to change anything.
Next step is to configure the jails. In my case as I am using a Debian based system, I have the file
/etc/fail2ban/jail.d/defaults-debian.conf created by default with this configuration:
enabled = true
This means that I have enabled the sshd jail. This jail has the defaults configuration parameters. We can see the values with these commands.
The period of time the IP address is blocked (or banned).
sudo fail2ban-client get sshd bantime
The period of time in which Fail2ban searchs attemps.
sudo fail2ban-client get sshd findtime
The number or attempts needed to perform the block action within findtime seconds (600).
sudo fail2ban-client get sshd maxretry
Change the jail parameters
The previous default parameters could be good for you, but in my case for the sshd jail I prefer to change them. For this jail, I am going to set these parameters in the jail config file (
- bantime: 24 hours
- findtime: 30 seconds
- maxretry: 1
so I edit the file
/etc/fail2ban/jail.d/defaults-debian.conf with them. I am also going to change the action defined to get an e-mail each time an IP address is banned.
enabled = true
bantime = 24h
findtime = 30
maxretry = 1
action = %(action_mwl)s
Test the jail configuration
Fail2ban has a command to validate the jails configuration done. For the validation you have to use this command:
sudo fail2ban-client --test
Once the validation has been done, we can reload the service to load the configuration changes.
sudo service fail2ban reload
Check Fail2ban status
To check the status of the service you can use this command:
sudo fail2ban-client status
And to get the status of the jail:
sudo fail2ban-client status sshd
Check Fail2ban banned IPs
In the previous check you could have seen the banned IPs in the firewall application. With this command you’ll see the IP banned with the REJECT value in the table.
sudo iptables -L -n -v --line-numbers
Enable at boot
Finally, by default Fail2ban is not started at boot. To enable it:
sudo systemctl enable fail2ban
When Fail2ban is installed, we have an extra layer of security to avoid a system being attacked. It’s highly recommended to have a solution like this in any system exposed to The Internet.
Now, I recommend you to check how to integrate AbuseIPDB with Fail2ban.