How to configure Fail2Ban for common services
Last updated: August 22nd 2023
Introduction
Fail2Ban is a free and open-source intrusion prevention tool. It is written in the Python programming language and used for protecting your Linux server from brute-force login attacks. If any service requires authentication in your system then attackers and bots are trying to break your authentication system by continuously authenticate using different credentials. SSH is a good example of this type of service which is the first choice of attackers and bots for brute force attacks.
How Does Fail2Ban Work?
Fail2Ban monitors server log files (such as /var/log/auth.log, /var/log/apache/access.log) for intrusion attempts and other suspicious activity. Once a predefined number of failures have been detected from a remote host, Fail2Ban blocks their IP address automatically for a specific amount of time. Fail2Ban can find any remote IPs that are trying to make too many login attempts. After detecting an abusive IP address, Fail2Ban can perform multiple actions such as updating Iptable firewall rules, add IP address in TCP Wrapper's hosts.deny table, send email notification and any other user-defined action.
Fail2Ban provides protection for different services, such as FTP, SSH, Apache, Webmin, Docker, WordPress and essentially any service which writes information to log files against brute force login attacks.
In this post, we will show you how to install and configure Fail2Ban to protect your server from brute force login attacks for some common services.
Please note: Doing these actions may temporarily bring down your server. Do these actions with caution on a live site.
Prerequisites
- A Webdock cloud Ubuntu 20.04 instance with LEMP or LAMP installed.
- You have shell (SSH) access to your VPS.
How to Install Fail2Ban
By default, Fail2Ban is installed in the Webdock LAMP/LEMP stack. If not installed you can install it using the following command:
$ sudo apt install fail2ban -y
Once Fail2Ban is installed, you can check the status of Fail2Ban with the following command:
$ sudo systemctl status fail2ban
Output:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-05-24 12:08:07 UTC; 3min 5s ago
Docs: man:fail2ban(1)
Main PID: 341 (f2b/server)
Tasks: 7 (limit: 464145)
Memory: 14.6M
CGroup: /system.slice/fail2ban.service
└─341 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
May 24 12:08:07 ubuntu systemd[1]: Starting Fail2Ban Service...
May 24 12:08:07 ubuntu systemd[1]: Started Fail2Ban Service.
May 24 12:08:08 ubuntu fail2ban-server[341]: Server ready
How to Configure Fail2Ban?
Fail2Ban configuration files are located inside the /etc/fail2ban directory. You can check them with the following command:
$ sudo ls -l /etc/fail2ban/
You should see the following output:
drwxr-xr-x 2 root root 65 Jun 4 2020 action.d -rw-r--r-- 1 root root 2817 Jan 11 2020 fail2ban.conf drwxr-xr-x 2 root root 2 Mar 2 2020 fail2ban.d drwxr-xr-x 3 root root 90 Jun 4 2020 filter.d -rw-r--r-- 1 root root 25740 Jan 11 2020 jail.conf drwxr-xr-x 2 root root 4 Jun 4 2020 jail.d -rw-r--r-- 1 root root 645 Jan 11 2020 paths-arch.conf -rw-r--r-- 1 root root 2827 Jan 11 2020 paths-common.conf -rw-r--r-- 1 root root 573 Jan 11 2020 paths-debian.conf -rw-r--r-- 1 root root 738 Jan 11 2020 paths-opensuse.conf
Where the jail.conf is the main configuration file with all available options. The jail.conf contains jail configuration for many services like, HTTP, FTP, SSH, Squid, Monit, Horde, Drupal and more. You just need to add "enabled = true" below each jail configuration section to enable the specific jail.
A brief explanation of the most commonly used configuration options is shown below:
- port: Define the service name or service port.
- logpath: Define the name of the log file fail2ban checks for.
- bantime: Define the number of seconds a host will be blocked by fail2ban.
- maxretry: Define the maximum number of failed login attempts a host is allowed before it is banned.
- ignoreip: Define the IP addresses that fail2ban will ignore.
It is recommended to configure a Fail2Ban by creating a new configuration file named after the specific service /etc/fail2ban/jail.d/ directory instead of editing the existing jail.conf file.
Configure Fail2Ban for SSH
Note: For this to work you need to install the WP fail2ban plugin from your WP dashboard, and then follow the below instructions.
On Ubuntu Fail2Ban for SSH should automatically be enabled once you install Fail2Ban, but you can check if it is indeed enabled in the main jail.conf file or by checking the jail status with the CLI tool as shown in the sections below.
To manually configure Fail2Ban for SSH, you will need to create a jail.local file:
$ sudo nano /etc/fail2ban/jail.d/sshd.conf
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 120 ignoreip = whitelist-IP
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
The above configuration will block the remote IPs after three failed attempts to log in to your server via SSH. The remote host's IP will be blocked for 120 seconds.
Configure Fail2Ban for Webmin
To protect Webmin with Fail2Ban, edit the file jail.local as shown below:
$ sudo nano /etc/fail2ban/jail.d/webmin.conf
Add the following lines:
[webmin-auth] enabled = true port = 10000 filter = webmin-auth logpath = /var/log/auth.log maxretry = 3 bantime = 120
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
This configuration will monitors /var/log/auth files for unsuccessful login attempt to Webmin and block them for 120 seconds.
Configure Fail2Ban for WordPress
To protect the WordPress admin panel with Fail2Ban, you will need to download the Fail2ban filter configuration file for WordPress. You can download it with the following command:
$ sudo wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf
Next, create a Jail for WordPress by editing the file jail.local:
$ sudo nano /etc/fail2ban/jail.d/wordpress.conf
Add the following lines:
[wordpress] enabled = true filter = wordpress logpath = /var/log/auth.log maxretry = 3 port = http,https bantime = 300
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
Configure Fail2Ban for ProFTP
To configure Fail2Ban for ProFTP, edit the file jail.local:
$ sudo nano /etc/fail2ban/jail.d/proftp.conf
Add the following lines:
[proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3 bantime = 300
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
How to Check the Status of Jail
You can list all the activated Fail2Ban jail by running the following command:
$ sudo fail2ban-client status
You should get all activated jail in the following output:
Status |- Number of jail: 6 `- Jail list: proftpd, pure-ftpd, sshd, webmin-auth, wordpress
If you want to check the banning status of specific Fail2Ban jail (SSH), run the following command:
$ sudo fail2ban-client status sshd
You should see all IPs banned by Fail2Ban in the following output:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 14 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 3 |- Total banned: 3 `- Banned IP list: 209.208.62.183 221.181.185.19 222.186.30.112
You can also check the Fail2Ban log for the banned IPs:
$ sudo tail -f /var/log/fail2ban.log
Output:
2021-05-24 12:32:53,084 fail2ban.filter [8715]: INFO [ssh] Found 222.186.30.112 - 2021-05-24 12:32:53 2021-05-24 12:32:53,117 fail2ban.actions [8715]: NOTICE [ssh] Ban 222.186.30.112
If you want to block any remote IP address manually for SSH service, run the following command:
$ sudo fail2ban-client set sshd banip remote-ip-address
You can also check the Iptables rules added by Fail2Ban with the following command:
$ sudo iptables -nL
Output:
... Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 222.186.42.7 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
How to unban IPs banned by Fail2Ban
By default, Fail2ban automatically unban the banned IPs at a predefined interval of time which you have specified in jail.local file.
To unban the banned IP manually, run the following command:
$ sudo fail2ban-client set sshd unbanip remote-ip-address
You can also add the trusted remote IPs in the jail.local file so that Fail2Ban will ignore those IPs.
$ sudo nano /etc/fail2ban/jail.local
Add the following lines at the top of the file:
[DEFAULT] ignoreip = trusted-ip1 trusted-ip2
Save and close the file. Then, restart Fail2Ban to apply the configuration.
$ sudo systemctl restart fail2ban
Conclusion
In the above guide, you learned how to install and configure Fail2Ban for different services on a Ubuntu web server. We hope this will help you to configure Fail2Ban for other services to stop malicious users from hacking your site. If there is a service you want to see included in this article, leave a comment below or be in touch with Webdock support.
Related articles
-
Server Security Checklist
In this article we list a number of things you should check if you are setting up a server from scratch as well as a few things which can enhance security on our Perfect Server Stacks.
Last updated: November 10th 2022
-
How to check for open ports on your Ubuntu server
This article details various approaches to finding out which ports are open and accessible on your server.
Last updated: November 10th 2022
-
How to work with your firewall (UFW - Uncomplicated Firewall)
In this article we show how UFW - or Uncomplicated Firewall - works along with common commands and usage examples.
Last updated: January 10th 2024
-
SSH Security Configuration Settings
This article lists various settings for the SSH Daemon which impact server security.
Last updated: February 1st 2024
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 18.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Bionic 18.04.
Last updated: November 10th 2022
-
How to Secure Nginx with Naxsi Firewall on Ubuntu 20.04 VPS
This Article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Focal 20.04.
Last updated: March 8th 2024
-
How to configure Security Headers in Nginx and Apache
Here we outline which security headers are important to set in different scenarios in Nginx and Apache.
Last updated: November 10th 2022
-
How to enable Encryption for MariaDB
Enable Encryption of your database data with MariaDB as well as force all new tables created to be encrypted.
Last updated: October 29th 2024
-
How to Scan Your Webdock Server for Malware and Virus
This guide provides basic step-by-step instructions to install various tools to scan your server for malware and viruses.
Last updated: July 19th 2023
-
How To Use Our Free BotGuard Bot Protection
In this article we show you how to activate and use our Free BotGuard Bot Protection which is included for free with all our VPS servers.
Last updated: November 4th 2024
-
Enhancing Nginx Security with IP Filtering and Password
A guide to enhance Nginx security with IP filtering (specific IP, and, IP ranges) and Password
Last updated: November 25th 2023
-
Securing Ubuntu: How to Detect System Vulnerabilities
Detect system vulnerabilities using Vuls
Last updated: December 20th 2023
-
Secure VPS Communication with SSL and UFW
A detailed guide to securely your communicate with your servers without requiring a VLAN setup.
Last updated: March 4th 2024
-
Configuring UFW and Fail2Ban to Mitigate Basic DDos Attacks
Instructions to protect your server from basic DDos attacks using UFW and Fail2Ban
Last updated: May 28th 2024