Linux administrators deploy different solutions to protect their systems from being comprised. Some of the solutions include security by obscurity, IDS (Intrusion detection system), and password policies. However, these solutions alone cannot protect their system from compromise. It is better to use an intrusion prevention system to prevent attacks and block the attacker before it actually breaks into your system.
Fail2ban is an easy and quick to deploy intrusion prevention tool that closely monitors your log files and bans suspicious IP addresses based on predefined number of unsuccessful login attempts. However, there is a limitation with Fail2ban that it only protects the services that require authentication. The services which do not require authentication cannot be banned by Fail2ban.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Linux files security queries.
In this context, we shall look into how to install and configure Fail2ban on Ubuntu 20.04 LTS.
Fail2ban package is available in the Ubuntu default repositories. Therefore, we can simply install it using the apt.
First, update the package index using this command:
$ sudo apt-get update
When prompted, Enter sudo password.
Then use the below command for installingFail2ban:
$ sudo apt-get install fail2ban
Hit y if prompted for confirmation. After this, Fail2ban should be installed on your system.
The configuration file of Fail2ban is located at /etc/fail2ban/jail.conf. However, it is suggested to not edit this file directly. Instead, to edit the configuration file, copy the jail.conf file to jail.local file. Use the below command to do so:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now to do configurations, edit the jail.local file as follows:
$ sudo nano /etc/fail2ban/jail.local
For configuring Fail2ban, the first step you require to do is to add the IP address that you never want to ban. By default, it is setup to not block any traffic originating from the local system.
To add more systems to the whitelist (IPs that should never be blocked), search for this entry:
ignoreip = 127.0.0.1/8
Then add other IP addresses separated by space.
After that, save the file and exit.
Fail2ban comes with a number of jails preconfigured for different services. Under the default section, there are separate sections for each of the services. These separate sections can be used to override the default settings. Each service is identified by the section headers like [squid]. We can also create separate local jails for each service in the /etc/fail2ban/jail.d directory.
Here, we are going to protect SSH by configuring a jail for failed login attempts.
Create a jail for SSH using this command:
$ sudo nano /etc/fail2ban/jail.d/sshd.local
Add below lines in the sshd.local file:
[sshd]
enabled = true
port=ssh
maxretry = 2
bantime = 1m
After making the necessary changes, save the file and exit.
The description of bantime and maxretry parameters used in the above lines is as follows:
Bantime
When a client fails to authenticate successfully, the bantime option specifies how long they will be banned.
Maxretry
The maximum number of authentication tries before a host IP trying to connect is blocked.
Now you will need to restart the Fail2ban service using the below command:
$ sudo systemctl restart fail2ban
Now to verify if Fail2ban is working, we will make 2 wrong authentication attempts (by entering the wrong password). After the 2 attempts, the SSH connection will hang. To close the current SSH connection, press Ctrl+c. Now if we try to reconnect to the SSH server, it will not connect as Fail2ban has blocked it.
We can also verify this by checking the logs in the /var/log/fail2ban.log file:
$ sudo tail -f /var/log/fail2ban.log
From the logs, you can see Fail2ban has banned the IP address which tried two wrong authentication attempts. If you notice the time, it also unbanned the IP address after 1 minute.
You can also manually unban the IP address using the below command:
$ sudo fail2ban-client set sshd unbanip IP_ADDRESS
This article covers how to install Fail2ban and protect SSH from illegitimate attempts. For webmasters or anyone managing Linux server that is accessible over the Internet, the risks of the server being compromised is high, so implementing best security practices to help mitigate these attacks should be a priority. In fact, Fail2ban is a tool that help protect Linux servers from brute force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan the server's logs for malicious attempts and bans offending IPs for a specific length of time using the system's firewall.
How to Install Fail2ban on any Linux system ?
Fail2ban packages are automatically included in Ubuntu repositories. To install it, simply run the commands below:
$ sudo apt update
$ sudo apt install fail2ban
Once the installation is complete, the service should automatically start up and ready to be configured.
To check if the service is up and operational, run the commands below:
$ sudo systemctl status fail2ban