Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs, etc. And uses iptables profiles to block brute-force attempts.
Check for system updates and install it.
apt update apt upgrade
Command to install the fail2ban
apt install fail2ban
Note: It will prompt for several permissions, Press "y" and "Enter" to continue.
To enable fail2ban, run the following command.
systemctl enable fail2ban
To check the status of the service, run the following command.
systemctl status fail2ban
root@vps:~# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: Active: active (running) since Sat 2020-10-24 07:33:12 PDT; 48s ago Docs: man:fail2ban(1) Main PID: 732 (fail2ban-server) CGroup: /system.slice/fail2ban.service └─732 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/ Oct 24 07:33:11 vps.server.com systemd: Starting Fail2Ban Service... Oct 24 07:33:11 vps.server.com fail2ban-client: 2020-10-24 07:33:11,745 fai Oct 24 07:33:11 vps.server.com fail2ban-client: 2020-10-24 07:33:11,746 fai Oct 24 07:33:12 vps.server.com systemd: Started Fail2Ban Service. lines 1-12/12 (END)
Jail.conf contains a section in which Configuration settings can be done for the fail2ban, we are not going to edit this file because package upgrade can overwrite this file.
Jail.local contains same sections where "jail.conf" file contains and it can override these values.
Command to create a jail.local configuration file by copying the default jail.conf file.
Open file to configure.
Find the following line in the config file /etc/fail2ban/jail.local and uncomment it to whitelist the IP address.
ignoreip = 127.0.0.1/8 ::1 "your IP address"
3 main options in these settings,
- bantime: is the number of sec/hours/day that an IP address is banned.
- findtime: is the window that fail2ban will pay attention to when looking for repeated failed authentication attempts.
- maxretry: is the maximum try which will be given before blocking.
Find these lines in the config file /etc/fail2ban/jail.local and change as you required.
Default values of the option are,
bantime = 1d findtime = 10m maxretry = 3
Note: If you want to block IP address permanently use negative value in bantime option.
Note: To receive email alerts, you need to have an SMTP installed on your server.
To receive email alerts with relevant logs, find the following line in the config file /etc/fail2ban/jail.local.
# bans the offending IP and sends an email with a whois report. action = %(action_mw)s
And change to,
# bans the offending IP and sends an email with a whois report and with relevant logs. action = %(action_mwl)s
To configure sending and receiving email addresses.
Find the following line in the config file /etc/fail2ban/jail.local and update the details.
destemail = firstname.lastname@example.org sender = email@example.com
To interact with the Fail2ban service there is a command-line tool called fail2ban-client.
To check its available options enter the following command.
Here is a few examples that can be performed by using this tool,
Check the jail status.
fail2ban-client status sshd
To unban an IP.
fail2ban-client set sshd unbanip "IP address here"
To Ban an IP.
fail2ban-client set sshd banip "IP address here"