[For Ubuntu/Debian] Installing Fail2ban for Brute-Force Attack Protection

Clara - VPS Hosting Team

Introduction

"Fail2ban" monitors your server logs for patterns that indicate potential attacks on your servers and services. If an active attack is detected, "Fail2ban" automatically blocks the IP addresses from which these attacks are originating.

One common form of attack is a brute force attempt to gain SSH access by repeatedly trying different usernames and passwords. If your server is targeted by this type of attack, "Fail2ban" helps by blocking the attacking IPs.

To get started with installing "Fail2ban" on Ubuntu 16.04, follow the steps below.

Installation

To install "Fail2ban" on Ubuntu/Debian, run the following commands:

sudo apt-get update
sudo apt-get install fail2ban -y

After installation, the default configuration file for "Fail2ban" will be located at:

/etc/fail2ban/jail.conf

This is the file you’ll need to modify to suit your environment.

By default, the file already includes sections for the services that need protection, though they are disabled. You’ll need to configure each service running on your server individually.

Configuration (Optional)

To open the configuration file and begin editing, use these commands:

sudo apt-get install nano
sudo nano /etc/fail2ban/jail.conf

The SSH protocol is enabled and protected by default. If no changes are made, anyone attempting a brute force attack on your server will be banned after six failed attempts. "Fail2ban" secures the default protocol ports, but if you’ve configured services to use non-standard ports, you must specify the new port number in the configuration.

For instance, if you’ve changed your SSH port from the default 22 to 2222, you must add it to the configuration like this:

[ssh]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

Other services are pre-configured but disabled. To enable and protect a service, locate its section and set the value for enabled to true.

Configuration Legend

Enabled: Determines whether "Fail2ban" monitors the service.
Port: Specifies the port number for the service. If you’ve customized the port, you’ll need to enter the new number.
Filter: Defines the rules and patterns "Fail2ban" uses to detect attacks against a service.
Logpath: The path to the log file that "Fail2ban" monitors. By default, it’s /var/log/auth.log. If your system uses a different log location, update it here.

Conclusion

You should now have the basics of configuring "Fail2ban" to block malicious activity on your services. It's easy to set up and provides an excellent layer of protection for any service that requires authentication.