How To Install Fail2Ban to protect server from Brute Force SSH Login Attempts (Ubuntu):
Fail2Ban is a simple script designed to scan log files for repeated failed login attempts and to ban IP addresses that make too many failures. Commonly that’s a brute force attempt to find correct password combination to login to a server via SSH. Fail2ban will simply update firewall rules to reject the IP address automatically (once detected attempting a brute force). But often that shouldn’t be enough. You may also need to install Fail2ban on it. In this page I’ll try to explain necessary steps how to install Fail2ban and some basic configurations.
HOW TO INSTALL AND SETUP FAIL2BAN
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.
STEP BY STEP INSTALLATION AND CONFIGRATION:
Step 1 – Login to your server via your favorite SSH client. Windows users can simply use Putty, it is free, small, portable and awesome. If you’ve disabled root login, then simply login with the username you setup then type “su” followed by entering your root password.
Step 2 – Now issue this command syntax to install fail2ban on your server:
You may first need to update your apt (not necessary but you may):
then this command is the one to install fail2ban
|1||apt-get install fail2ban|
you will see the following screen:
Step 3 – Now you have to setup Fail2ban’s configuration. By default, Fail2ban configuration has included many of possible services that may need the protection. Before you make changes to default config file, you have to make a copy first. Issue following command:
|1||cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local|
It should look like this
Step 4 – The command above copies “jail.conf” file to “jail.local” which you can make some changes to the config there. Now edit that file using our favorite text editor, Nano:
It should look like this..
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you white list certain IP addresses and make sure that they are not locked out from your VPS. Including your address will guarantee that you do not accidentally ban yourself from your own virtual private server.
The next step is to decide on a bantime, the several seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes—you may raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.
Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry several times in the designated 10 minutes, they will be banned.
Step 5 – Now make some changes (if you wish and if you need to) in the first section of the config. The first section called “DEFAULT” which is covering all basic rules that fail2ban will follow.
The main important part is “ignore ip”. You can add your own IP address there so if if you forgot the password you won’t be banned for trying some combinations no matter how many times you try. It means by adding your IP in the white list you can avoid accidentally ban yourself.
Also do not forget to set “bantime” which rules how many seconds a banned user will still been locked out. Default value is 600 seconds or 10 minutes. You can adjust that value as you wish but you better raise the value because most of brute force bots will simply move on to the next target once banned by the server.
Below “bantime” line is “maxretry”. This line defines how the amount of incorrect login attempts that a single IP may have before it gets banned for the length of the ban time you’ve defined. Default value is “3” but you can lower that value to “2” or “1”. The lower is better but make sure you white-listed your IP already in the “ignore ip” line above.
The next line is “backend” which you can simply leave its value as “auto”. Now move to another line, “destemail”. In this line you can define to which email address all alerts will be sent. Simply change root@localhost to your own personal email address. But you have to make sure that your server has a working mail server already to be able to send outgoing email.
Step 6 – Now move to the next section which is “Action”. Well, you can simply leave those lines as it is if you don’t really sure. All default value should be adequate for fail2ban to work correctly. Now you have to move a little bit down below and find the [ssh] section.
You also don’t have to change that section. Its default values indicating that SSH protection is now enabled / ON. You can change “enabled = true” to false if you want to turn OFF the protection.
You can change the “port = ssh” line to the custom port number your SSH connection is designated. For instance, you’ve changed default SSH port from 22 to 2200, then change it to “port = 2200”
Once done editing, hit Control+O to save then Control+X to exit Nano editor screen.
Step 7 – That’s it. Now to make sure Fail2ban loads your newly defined config, simply do a restart. Issue this command:
|1||service fail2ban restart|
Q: I rebooted the server, does it starts automatically?
Yes, Fail2ban service will automatically start each time your server reboots.
That’s it and enjoy.