Linux administrators deploy different solutions to protect their systems from being comprised. Some of the solutions include security by obscurity, IDS (Intrusion detection system), and password policies. However, these solutions alone cannot protect their system from compromise. It is better to use an intrusion prevention system to prevent attacks and block the attacker before it actually breaks into your system.
Fail2ban is an easy and quick to deploy intrusion prevention tool that closely monitors your log files and bans suspicious IP addresses based on predefined number of unsuccessful login attempts. However, there is a limitation with Fail2ban that it only protects the services that require authentication. The services which do not require authentication cannot be banned by Fail2ban.
In today’s post, we are going to cover how to install and configure Fail2ban on Ubuntu 20.04 LTS.
Fail2ban package is available in the Ubuntu default repositories. Therefore, we can simply install it using the apt.
First, update the package index using this command:
$ sudo apt-get update
Enter sudo password when prompted.
Then use the below command for installingFail2ban:
$ sudo apt-get install fail2ban
Hit y if prompted for confirmation. After this, Fail2ban should be installed on your system.
The configuration file of Fail2ban is located at /etc/fail2ban/jail.conf. However, it is suggested to not edit this file directly. Instead, to edit the configuration file, copy the jail.conf file to jail.local file. Use the below command to do so:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now to do configurations, edit the jail.local file as follows:
$ sudo nano /etc/fail2ban/jail.local
For configuring Fail2ban, the first step you require to do is to add the IP address that you never want to ban. By default, it is setup to not block any traffic originating from the local system.
To add more systems to the whitelist (IPs that should never be blocked), search for this entry:
ignoreip = 127.0.0.1/8
Then add other IP addresses separated by space as shown in the screenshot below.
Then save the jail.local file and exit.
Protect SSH with Fail2ban
Fail2ban comes with a number of jails preconfigured for different services. Under the default section, there are separate sections for each of the services. These separate sections can be used to override the default settings. Each service is identified by the section headers like [squid]. We can also create separate local jails for each service in the /etc/fail2ban/jail.d directory.
Here, we are going to protect SSH by configuring a jail for failed login attempts.
Create a jail for SSH using this command:
$ sudo nano /etc/fail2ban/jail.d/sshd.local
Add below lines in the sshd.local file:
[sshd] enabled = true port=ssh maxretry = 2 bantime = 1m
Then save the file and exit.
The description of bantime and maxretry parameters used in the above lines is as follows:
When a client fails to authenticate successfully, the bantime option specifies how long they will be banned.
The maximum number of authentication tries before a host IP trying to connect is blocked.
Now you will need to restart the Fail2ban service using the below command:
$ sudo systemctl restart fail2ban
Now to verify if Fail2ban is working, we will make 2 wrong authentication attempts (by entering the wrong password). After the 2 attempts, the SSH connection will hang. To close the current SSH connection, press Ctrl+c. Now if we try to reconnect to the SSH server, it will not connect as Fail2ban has blocked it.
We can also verify this by checking the logs in the /var/log/fail2ban.log file.
$ sudo tail -f /var/log/fail2ban.log
Below is the screenshot of our logs where you can see Fail2ban has banned the IP address which tried two wrong authentication attempts. If you notice the time, it also unbanned the IP address after 1 minute.
You can also manually unban the IP address using the below command:
$ sudo fail2ban-client set sshd unbanip IP_ADDRESS
That is all there is to it! In this post, we covered how to install Fail2ban and protect SSH from illegitimate attempts. It is a cost-free and easy to setup tool for protecting services that require authentication. However, remember that fail2ban is only a single solution. It should not be the only security tool running on your systems.