\n
How to Install Fail2ban on Debian \/ Ubuntu and on similar Linux distributions<\/h2>\n\n\n\n
Installation of Fail2ban is pretty quick and straightforward for Linux distribution based on Debian and Ubuntu, following steps should work on any recent version.<\/p>\n\n\n\n
First of all make sure your distribution is up to date. We are assuming you have configured sudo user with admin privileges. <\/p>\n\n\n\n
sudo apt update && sudo apt upgrade<\/code><\/pre>\n\n\n\nOnce you are done with updating your system, you may go ahead and install Fail2ban<\/p>\n\n\n\n
sudo apt-get install fail2ban<\/code><\/pre>\n\n\n\nHere, after installation the fail2ban service will be automatically started and enabled. You can verify it buy running following command:<\/p>\n\n\n\n
sudo systemctl status fail2ban<\/code><\/pre>\n\n\n\nSample Output<\/em><\/p>\n\n\n\nfail2ban.service - Fail2Ban Service\nLoaded: loaded (\/lib\/systemd\/system\/fail2ban.service; enabled; vendor preset: enabled)\nActive: active (running) since Mon 2021-11-21 20:48:24 CET; 18s ago\nDocs: man:fail2ban(1)\nMain PID: 55134 (f2b\/server)\nTasks: 5 (limit: 2282)\nMemory: 13.5M\nCGroup: \/system.slice\/fail2ban.service\n\u2514\u250055134 \/usr\/bin\/python3 \/usr\/bin\/fail2ban-server -xf start<\/code><\/pre>\n\n\n\nOnce fail2ban is up and running, we can now move on to configure it. <\/p>\n<\/div><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n
Configuration of Fail2ban is done through its config files found at \/etc\/fail2ban\/<\/code>. At most basic level, fail2ban uses \/etc\/fail2ban\/fail2ban.conf<\/code> as the primary configuration profile for overall setup of fail2ban. While, the \/etc\/fail2ban\/jail.conf<\/code> contains default configuration for various jails ie. set of instructions which contains filters and actions for services where matching filters from the logs results in execution of desired actions for that service.<\/p>\n\n\n\nTo put in simple words, jail.conf consist of set of instructions where we can configure brute-force protection against pure-ftpd service, ssh service etc. Although in Debian \/ Ubuntu, ssh protection is enabled by default. <\/p>\n\n\n\n
Fail2ban reads first reads *.conf<\/code> files and then overrides them with *.local<\/code> files. Hence in order to customize we should create copy of fail2ban.conf<\/code> as fail2ban.local<\/code> and jail.conf<\/code> as jail.local<\/code>.<\/p>\n\n\n\nsudo cp \/etc\/fail2ban\/fail2ban.{conf,local}\nsudo cp \/etc\/fail2ban\/jail.{conf,local}<\/code><\/pre>\n\n\n\nNow we will have two new files (\/etc\/fail2ban\/fail2ban.local<\/code> and \/etc\/fail2ban\/jail.local<\/code>) copied from their .conf counterpart. Although, it is not necessary to create copy of *.conf<\/code> files as *.local<\/code> files, you can start with empty .local file also and add only those directives which you want to override. But we will use copy of files and then discuss directives. <\/p>\n\n\n\nThe default \/etc\/fail2ban\/fail2ban.local<\/code> is suitable most of the use case and all configuration choices are well-documented. If you wish you can modify directives like loglevel<\/code> which defines how much data is logged for every event. You can configure under [DEFAULT]<\/code> section. Anything with “#” in front is considered comment and is ignored. For example, below loglevel<\/code> is set to INFO<\/code><\/p>\n\n\n\n[DEFAULT]\n\n# Option: loglevel\n# Notes.: Set the log level output.\n# CRITICAL\n# ERROR\n# WARNING\n# NOTICE\n# INFO\n# DEBUG\n# Values: [ LEVEL ] Default: ERROR\n#\nloglevel = INFO<\/code><\/pre>\n\n\n\nThe main action goes into the \/etc\/fail2ban\/jail.local<\/code> file. This will contain default directives which will be applied to all Jails. However, you can override per jail directive also. There are lots of things you can change from this file which is well documented through comments in file. For example, you can change some of the aspects given below : <\/p>\n\n\n\n [DEFAULT]\n\n ignoreip = x.x.x.x\n bantime = 24h\n findtime = 30m\n maxretry = 3\n usedns = no\n destemail = you@yourdomain.com\n sendername = Fail2Ban\n sender = you@yourservername.com\n mta = sendmail\n action = $(action)s<\/code><\/pre>\n\n\n\n\n- ignoreip:<\/strong> It can be a list of IP addresses, CIDR masks or DNS hosts which you want to be ignored by fail2ban.<\/li>\n\n\n\n
- bantime<\/strong>: It is the period for which a host is banned, we have configured it to 24h.<\/li>\n\n\n\n
- findtime<\/strong>: A host is banned if it has generated “maxretry” during the last “findtime”. We have set is 30m, which means that within last 30 minutes if there are failed attempts equals to “maxretry” option.<\/li>\n\n\n\n
- maxretry:<\/strong> It is number of failures before a host get banned.<\/li>\n\n\n\n
- usedns<\/strong>: It can be
yes<\/code>, warn<\/code>, no<\/code> and raw<\/code>. If set to yes, then will perform DNS lookup for hostname and if set to warn, it will do DNS lookup but log it as warning. Setting it to no means hostname will not used for banning. Using it with raw is used to set no-host filters and actions. We have set it to no as we just want IP addresses used for banning.<\/li>\n\n\n\n- destemail:<\/strong> Specify the email address where you want Fail2ban to send reports about event, you can further customize per jail also.<\/li>\n\n\n\n
- sendername<\/strong>: Specify anything describing name of your server running Fail2ban<\/li>\n\n\n\n
- sender: <\/strong>Specify full email address as “from” address for notifications<\/li>\n\n\n\n
- mta:<\/strong> Which mail transport agent to use for mails, sendmail is preferred. <\/li>\n\n\n\n
- action:<\/strong> On match, what should be the action, here you define it on Global level, you can change it at each Jail level also. So, you can customize to enable mail notification as well other customization along with banning. \n
\n- To ban & send an e-mail with whois report to the destemail.
action = %(action_mw)s<\/code><\/pre><\/li>\n\n\n\n- Same as above ie. action_mw but also send relevant log lines
action = %(action_mwl)s<\/code><\/pre><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/div>\n\n\n\n
Changing which firewall to be used with fail2ban<\/strong><\/p>\n\n\n\nBy default, iptables is used by Fail2ban for banning. We can switch to other firewalls like nftables ,ufw, shorewall, firewalld etc. <\/p>\n\n\n\n
Default iptables :<\/p>\n\n\n\n
banaction = iptables-multiport\nbanaction_allports = iptables-allports\n<\/code><\/pre>\n\n\n\nUse nftables instead:<\/p>\n\n\n\n
banaction = nftables\nbanaction_allports = nftables[type=allports]<\/code><\/pre>\n\n\n\n<\/div>\n\n\n\n
Jails<\/strong><\/p>\n\n\n\nBy default, jail.local<\/code> will have various preconfigured jails for you. For example, ssh (for port 22) is already enabled by default in Debian \/ Ubuntu for fail2ban. We have set enabled = true<\/code> explicitly also. You also specify other settings as explained earlier like bantime<\/code>, ignoreip<\/code> inside each jail also.<\/p>\n\n\n\n[sshd]\nenabled = true\nport = ssh\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s<\/code><\/pre>\n\n\n\nBelow we have another example jail for pure-ftpd<\/code> service taken from \/etc\/fail2ban\/jail.local<\/code> . Note we have again set enabled=true<\/code>. <\/p>\n\n\n\n[pure-ftpd]\nenabled = true\nport = ftp,ftp-data,ftps,ftps-data\nlogpath = %(pureftpd_log)s\nbackend = %(pureftpd_backend)s<\/code><\/pre>\n<\/div><\/div>\n\n\n\nOne we have enabled our desired jails in jail.local files, we we need to restart fail2ban services in order for changes to get in effect. <\/p>\n\n\n\n
sudo systemctl restart fail2ban<\/code><\/pre>\n\n\n\n<\/div>\n\n\n\n
Checking Fail2ban status<\/strong> : fail2ban-client<\/h4>\n\n\n\nFail2ban comes with fail2ban-client utility which we can use for various tasks on fail2ban, like <\/p>\n\n\n\n
\nstart<\/code>: Starts the Fail2ban server and jails.<\/li>\n\n\n\nreload<\/code>: Reloads Fail2ban\u2019s configuration files.<\/li>\n\n\n\nstop<\/code>: Terminates the server.<\/li>\n\n\n\nstatus<\/code>: Will show the status of the server, and enable jails.<\/li>\n\n\n\nstatus JAIL<\/code>: Will show the status of the jail, including any currently-banned IPs.<\/li>\n<\/ul>\n\n\n\nFor example, to view all enabled jails :<\/p>\n\n\n\n
sudo fail2ban-client status <\/code><\/pre>\n\n\n\nSample Output<\/em><\/p>\n\n\n\n Status \n|- Number of jail: \n2 `- Jail list: pure-ftpd, sshd <\/code><\/pre>\n\n\n\nTesting Fail2ban jail: <\/strong><\/p>\n\n\n\nAs you can see have 2 Jails enabled ie. pure-ftpd and sshd. We can test using some failed login attempts on sshd server. We had configured maxretry=3<\/code> in last 30 min (using findtime=30m<\/code>). You can make 3 login attempts to this server’s ssh port, on fourth attempt, you should get “connection refused” error.
To verify if IP is blocked by fail2ban, you can check in \/var\/log\/fail2ban.log<\/code> file. You may also check using iptables if that IP is blocked by it. Checkout the output below where our sample IP 192.168.4.122<\/code> was blocked.<\/p>\n\n\n\nsudo iptables -nL<\/code><\/pre>\n\n\n\nSample output<\/em><\/p>\n\n\n\niptables -nL\nChain INPUT (policy ACCEPT)\ntarget prot opt source destination\nf2b-sshd tcp -- 0.0.0.0\/0 0.0.0.0\/0 multiport dports 22\n\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination\n\nChain f2b-sshd (1 references)\ntarget prot opt source destination\nREJECT all -- 192.168.4.122 0.0.0.0\/0 reject-with icmp-port-unreachable\nRETURN all -- 0.0.0.0\/0 0.0.0.0\/0\n<\/code><\/pre>\n\n\n\n<\/div>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
This tutorial will sum up as basic overview of Fail2ban intrusion detection system configuration on Ubuntu \/ Debian and similar Linux distributions. Fail2ban can do lot more interesting things and covers a lot of applications and services. Nevertheless, its should help you to get started and you can fine tune it to suite your special needs. <\/p>\n","protected":false},"excerpt":{"rendered":"
Security is an important aspect of running any kind of server on internet. Almost all servers run one or other kind of service which requires authentication to access them but…<\/p>\n","protected":false},"author":1,"featured_media":129,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[15,12,16,13,14],"class_list":["post-128","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-debian","tag-firewall","tag-linux","tag-security","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/posts\/128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/comments?post=128"}],"version-history":[{"count":9,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/posts\/128\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/posts\/128\/revisions\/146"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/media\/129"}],"wp:attachment":[{"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/media?parent=128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/categories?post=128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mgcspace.com\/content\/wp-json\/wp\/v2\/tags?post=128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}