How to Protect SSH with Fail2Ban on Ubuntu 22.10
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs, etc. And uses iptables profiles to block brute-force attempts.
Installing the Fail2Ban package
Check for system updates and install them.
apt update
apt upgrade
Command to install Fail2Ban:
apt install fail2ban
Enable fail2ban by running the below command.
systemctl enable fail2ban
Check the status of fail2ban by running the below command.
systemctl status fail2ban
Output:
root@crown:~# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres>
Active: active (running) since Thu 2022-10-19 13:37:13 UTC; 14s ago
Docs: man:fail2ban(1)
Main PID: 2557 (fail2ban-server)
Tasks: 5 (limit: 1034)
Memory: 13.2M
CPU: 442ms
CGroup: /system.slice/fail2ban.service
└─2557 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Configuring Fail2Ban
Jail.conf contains a section in which configuration settings can be done for the fail2ban, We are not going to edit this file because package upgrades can overwrite this file.
Jail.local contains the same sections where "jail.conf" file contains and it can override these values.
Command to create a jail.local configuration file by copying the default jail.conf file.
cp /etc/fail2ban/jail.{conf,local}
Open the file to configure.
nano /etc/fail2ban/jail.local
Whitelisting IP addresses
Find the following line in the config file /etc/fail2ban/jail.local
and uncomment it to whitelist the IP address.
#ignoreip = 127.0.0.1/8 ::1
Once you uncomment it, add your IP address at the last of the command For ex.
ignoreip = 192.168.0.100 192.168.1.0/24
Multiple IP addresses can be whitelisted with the above configuration, they have to be separated with a single white space. You can also white list an IP block as shown above.
Ban settings
3 main options in these settings,
- bantime: is the number of sec/hours/day that an IP address is banned.
- findtime: is the window that fail2ban will pay attention to when looking for repeated failed authentication attempts.
- maxretry: is the maximum try which will be given before blocking.
Find these lines in the config file /etc/fail2ban/jail.local and change them as you required.
Default values of the option are,
bantime = 10m
findtime = 10m
maxretry = 5
Note: If you want to block an IP address permanently use a negative value in the bantime option.
Get e-mail notifications
Note: To receive email alerts, you need to have an SMTP installed on your server.
To receive email alerts with relevant logs, find the following line in the config file /etc/fail2ban/jail.local and make sure that the following line is present.
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(action_)s
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
To configure sending and receiving email addresses.
Find the following line in the config file /etc/fail2ban/jail.local and update the details.
Example:
destemail = admin@xyz.com
sender = root@xyz.com
Fail2ban Client
To interact with the Fail2ban service there is a command-line tool called fail2ban-client.
To check it's available options, use the -h
option as shown in following command,
fail2ban-client -h
Here are a few examples that can be performed by using this tool,
Check the jail status.
fail2ban-client status sshd
To Unban an IP:
fail2ban-client set sshd unbanip "IP address here"
To Ban an IP:
fail2ban-client set sshd banip "IP address here"
CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME
for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS