📒  Trust and Security

How to install fail2ban and configure Fail2ban in Linux Servers

How to install fail2ban and configure it in Linux Servers (ubuntu / debian) by using fail2ban conf and configuring it on ubuntu and installing fail2ban in your server.
Fail2ban can really protect and help your security in Linux Servers by monitoring for malicious activity and suspicious activity meanwhile it can ban and block IP Addresses.
Is important to know how to install fail2ban or configure fail2ban correctly to work smoothly and without any issues in your server.

Debian / Ubuntu
Other Linux (the configuration commands will be different)

NOTE: You can’t use fail2ban in Shared Hosting, you will need to use in our VPS Hosting or Dedicated Servers from Alexhost are the best services to use it.

What is Fail2ban?

configure fail2ban

Fail2Ban is a log-parsing application that enhances the security of Linux servers by monitoring log files for malicious activity and automatically taking action to ban or block IP addresses associated with suspicious behavior. Its primary purpose is to protect servers from various types of attacks, especially those involving brute-force attempts to gain unauthorized access. Is important to know how to install fail2ban correctly in your server.

Here’s how Fail2Ban generally works:

  1. Monitoring Log Files: Fail2Ban continuously monitors specified log files for patterns that indicate potential security threats. These log files include those associated with authentication attempts, such as /var/log/auth.log for SSH or /var/log/apache2/error.log for Apache.
  2. Filtering Rules: Fail2Ban uses predefined or user-configured filter rules to identify specific patterns in the log entries. These patterns typically indicate failed login attempts, password guessing, or other suspicious activities.
  3. Matching Patterns: When a log entry matches a predefined pattern, Fail2Ban counts it as a “failure” or “match.” The filters are designed to recognize common attack patterns, such as repeated failed login attempts from the same IP address.
  4. Ban Actions: After a certain number of matching entries (configured by the maxretry setting), Fail2Ban takes action to block the offending IP address. The duration of the ban is determined by the bantime setting. This temporary ban helps thwart automated attacks by making it more difficult for attackers to gain access.
  5. Jails: Fail2Ban organizes its monitoring and banning configurations into units called “jails.” Each jail corresponds to a specific service or set of services. For example, there may be a jail for SSH, another for Apache, and so on. The configuration for each jail, including the filters and ban settings, is defined in the Fail2Ban configuration files.
  6. Status and Interaction: System administrators can check the status of Fail2Ban, view banned IP addresses, and manually unban addresses if needed. Fail2Ban also logs its actions, providing administrators with a history of banned IP addresses and relevant events.

By automatically banning IP addresses that exhibit malicious behavior, Fail2Ban helps protect servers from brute-force attacks, password guessing, and other security threats. It is a valuable tool for enhancing the overall security posture of a Linux server. However, it’s essential to configure Fail2Ban appropriately for your specific environment and regularly review its logs to ensure proper functionality.

### Step 1: How to Install Fail2Ban

Open a terminal on your Ubuntu or Debian server and run the following commands:

sudo apt update

sudo apt install fail2ban

### Step 2: Configure Fail2Ban

  1. Create a copy of the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


  1. Open the `jail.local` file in a text editor. You can use `nano` or `vim`:

sudo nano /etc/fail2ban/jail.local

  1. Configure the basic settings in the `jail.local` file. Here are some common options:

bantime: Duration (in seconds) an IP will be banned. Default is 10 minutes (600 seconds).

findtime: The time window (in seconds) within which a defined number of failures must occur for banning.

maxretry: The number of failures allowed before banning.



   bantime = 600

   findtime = 600

   maxretry = 3


4. Set up the filters for the specific services you want Fail2Ban to monitor. Filters are defined in the `jail.local` file under the `[<service-name>]` section. Common services include SSH (`sshd`), Apache (`apache`), and Nginx (`nginx`).

 Example for SSH:


   enabled = true

   port = ssh

   filter = sshd

   logpath = /var/log/auth.log

   maxretry = 5


Note: Make sure the `port` and `logpath` match your specific configuration.

  1. Save the `jail.local` file and exit the text editor.

### Step 3: Restart Fail2Ban

After making changes to the configuration, restart Fail2Ban to apply the new settings:

sudo systemctl restart fail2ban

### Step 4: Check Fail2Ban Status

You can check the status of Fail2Ban with:

sudo fail2ban-client status

This should display information about the jails and their status.

### Step 5: Test Fail2Ban

To test if Fail2Ban is working, intentionally generate some failed login attempts on the monitored service (e.g., SSH). After reaching the specified `maxretry` value, Fail2Ban should ban the corresponding IP address.

Remember to adapt these instructions based on your specific Ubuntu or Debian system and service configurations. Always consider the security implications of your settings, and regularly review logs for any unexpected behavior.


Note: While configuring fail2ban in your server, don’t block port 22 unless you are sure what you are doing, in such case you will block SSH default port.

Warning: Fail2ban is a excellent tool to protect your linux servers, but need to be configure carefully. To avoid being banned, whitelist your IP and other IPs you may think is important. Using fail2ban and configure it without doing it correctly can make you lose the connection to your server, is important to know how to install fail2ban in your server (Ubuntu, Debian, CentOS etc).