How to configure Fail2Ban for common services

Last updated: August 22nd 2023

Introduction

Fail2Ban is a free and open-source intrusion prevention tool. It is written in the Python programming language and used for protecting your Linux server from brute-force login attacks. If any service requires authentication in your system then attackers and bots are trying to break your authentication system by continuously authenticate using different credentials. SSH is a good example of this type of service which is the first choice of attackers and bots for brute force attacks.

How Does Fail2Ban Work?

Fail2Ban monitors server log files (such as /var/log/auth.log, /var/log/apache/access.log) for intrusion attempts and other suspicious activity. Once a predefined number of failures have been detected from a remote host, Fail2Ban blocks their IP address automatically for a specific amount of time. Fail2Ban can find any remote IPs that are trying to make too many login attempts. After detecting an abusive IP address, Fail2Ban can perform multiple actions such as updating Iptable firewall rules, add IP address in TCP Wrapper's hosts.deny table, send email notification and any other user-defined action.

Fail2Ban provides protection for different services, such as FTP, SSH, Apache, Webmin, Docker, WordPress and essentially any service which writes information to log files against brute force login attacks.

In this post, we will show you how to install and configure Fail2Ban to protect your server from brute force login attacks for some common services.

Please note: Doing these actions may temporarily bring down your server. Do these actions with caution on a live site.

Prerequisites

How to Install Fail2Ban

By default, Fail2Ban is installed in the Webdock LAMP/LEMP stack. If not installed you can install it using the following command:

$ sudo apt install fail2ban -y

Once Fail2Ban is installed, you can check the status of Fail2Ban with the following command:

$ sudo systemctl status fail2ban

Output:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-05-24 12:08:07 UTC; 3min 5s ago
       Docs: man:fail2ban(1)
   Main PID: 341 (f2b/server)
      Tasks: 7 (limit: 464145)
     Memory: 14.6M
     CGroup: /system.slice/fail2ban.service
             └─341 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

May 24 12:08:07 ubuntu systemd[1]: Starting Fail2Ban Service...
May 24 12:08:07 ubuntu systemd[1]: Started Fail2Ban Service.
May 24 12:08:08 ubuntu fail2ban-server[341]: Server ready

How to Configure Fail2Ban?

Fail2Ban configuration files are located inside the /etc/fail2ban directory. You can check them with the following command:

$ sudo ls -l /etc/fail2ban/

You should see the following output:

drwxr-xr-x 2 root root    65 Jun  4  2020 action.d
-rw-r--r-- 1 root root  2817 Jan 11  2020 fail2ban.conf
drwxr-xr-x 2 root root     2 Mar  2  2020 fail2ban.d
drwxr-xr-x 3 root root    90 Jun  4  2020 filter.d
-rw-r--r-- 1 root root 25740 Jan 11  2020 jail.conf
drwxr-xr-x 2 root root     4 Jun  4  2020 jail.d
-rw-r--r-- 1 root root   645 Jan 11  2020 paths-arch.conf
-rw-r--r-- 1 root root  2827 Jan 11  2020 paths-common.conf
-rw-r--r-- 1 root root   573 Jan 11  2020 paths-debian.conf
-rw-r--r-- 1 root root   738 Jan 11  2020 paths-opensuse.conf

Where the jail.conf is the main configuration file with all available options. The jail.conf contains jail configuration for many services like, HTTP, FTP, SSH, Squid, Monit, Horde, Drupal and more. You just need to add "enabled = true" below each jail configuration section to enable the specific jail.

A brief explanation of the most commonly used configuration options is shown below:

  • port: Define the service name or service port.
  • logpath: Define the name of the log file fail2ban checks for.
  • bantime: Define the number of seconds a host will be blocked by fail2ban.
  • maxretry: Define the maximum number of failed login attempts a host is allowed before it is banned.
  • ignoreip: Define the IP addresses that fail2ban will ignore.

It is recommended to configure a Fail2Ban by creating a new configuration file named after the specific service /etc/fail2ban/jail.d/ directory instead of editing the existing jail.conf file.

Configure Fail2Ban for SSH

Note: For this to work you need to install the WP fail2ban plugin from your WP dashboard, and then follow the below instructions.

On Ubuntu Fail2Ban for SSH should automatically be enabled once you install Fail2Ban, but you can check if it is indeed enabled in the main jail.conf file or by checking the jail status with the CLI tool as shown in the sections below.

To manually configure Fail2Ban for SSH, you will need to create a jail.local file:

$ sudo nano /etc/fail2ban/jail.d/sshd.conf

Add the following lines:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 120
ignoreip = whitelist-IP

Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.

$ sudo systemctl restart fail2ban

The above configuration will block the remote IPs after three failed attempts to log in to your server via SSH. The remote host's IP will be blocked for 120 seconds.

Configure Fail2Ban for Webmin

To protect Webmin with Fail2Ban, edit the file jail.local as shown below:

$ sudo nano /etc/fail2ban/jail.d/webmin.conf

Add the following lines:

[webmin-auth]
enabled = true
port    = 10000
filter  = webmin-auth
logpath  = /var/log/auth.log
maxretry = 3
bantime = 120

Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.

$ sudo systemctl restart fail2ban

This configuration will monitors /var/log/auth files for unsuccessful login attempt to Webmin and block them for 120 seconds.

Configure Fail2Ban for WordPress

To protect the WordPress admin panel with Fail2Ban, you will need to download the Fail2ban filter configuration file for WordPress. You can download it with the following command:

$ sudo wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf

Next, create a Jail for WordPress by editing the file jail.local:

$ sudo nano /etc/fail2ban/jail.d/wordpress.conf

Add the following lines:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
port = http,https
bantime = 300

Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.

$ sudo systemctl restart fail2ban

Configure Fail2Ban for ProFTP

To configure Fail2Ban for ProFTP, edit the file jail.local:

$ sudo nano /etc/fail2ban/jail.d/proftp.conf

Add the following lines:

[proftpd]

enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3
bantime = 300

Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.

$ sudo systemctl restart fail2ban

How to Check the Status of Jail

You can list all the activated Fail2Ban jail by running the following command:

$ sudo fail2ban-client status

You should get all activated jail in the following output:

Status
|- Number of jail:	6
`- Jail list:	proftpd, pure-ftpd, sshd, webmin-auth, wordpress

If you want to check the banning status of specific Fail2Ban jail (SSH), run the following command:

$ sudo fail2ban-client status sshd

You should see all IPs banned by Fail2Ban in the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	14
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	3
   |- Total banned:	3
   `- Banned IP list:	209.208.62.183 221.181.185.19 222.186.30.112

You can also check the Fail2Ban log for the banned IPs:

$ sudo tail -f /var/log/fail2ban.log

Output:

2021-05-24 12:32:53,084 fail2ban.filter         [8715]: INFO    [ssh] Found 222.186.30.112 - 2021-05-24 12:32:53
2021-05-24 12:32:53,117 fail2ban.actions        [8715]: NOTICE  [ssh] Ban 222.186.30.112

If you want to block any remote IP address manually for SSH service, run the following command:

$ sudo fail2ban-client set sshd banip remote-ip-address

You can also check the Iptables rules added by Fail2Ban with the following command:

$ sudo iptables -nL

Output:

...
Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  222.186.42.7         0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

How to unban IPs banned by Fail2Ban

By default, Fail2ban automatically unban the banned IPs at a predefined interval of time which you have specified in jail.local file.

To unban the banned IP manually, run the following command:

$ sudo fail2ban-client set sshd unbanip remote-ip-address

You can also add the trusted remote IPs in the jail.local file so that Fail2Ban will ignore those IPs.

$ sudo nano /etc/fail2ban/jail.local

Add the following lines at the top of the file:

[DEFAULT]

ignoreip = trusted-ip1 trusted-ip2

Save and close the file. Then, restart Fail2Ban to apply the configuration.

$ sudo systemctl restart fail2ban

Conclusion

In the above guide, you learned how to install and configure Fail2Ban for different services on a Ubuntu web server. We hope this will help you to configure Fail2Ban for other services to stop malicious users from hacking your site. If there is a service you want to see included in this article, leave a comment below or be in touch with Webdock support.

Related articles