Introduction
Fail2Ban is a free and open-source intrusion prevention tool. It is written in the Python programming language and used for protecting your Linux server from brute-force login attacks. If any service requires authentication in your system then attackers and bots are trying to break your authentication system by continuously authenticate using different credentials. SSH is a good example of this type of service which is the first choice of attackers and bots for brute force attacks.
How Does Fail2Ban Work?
Fail2Ban monitors server log files (such as /var/log/auth.log, /var/log/apache/access.log) for intrusion attempts and other suspicious activity. Once a predefined number of failures have been detected from a remote host, Fail2Ban blocks their IP address automatically for a specific amount of time. Fail2Ban can find any remote IPs that are trying to make too many login attempts. After detecting an abusive IP address, Fail2Ban can perform multiple actions such as updating Iptable firewall rules, add IP address in TCP Wrapper's hosts.deny table, send email notification and any other user-defined action.
Fail2Ban provides protection for different services, such as FTP, SSH, Apache, Webmin, Docker, WordPress and essentially any service which writes information to log files against brute force login attacks.
In this post, we will show you how to install and configure Fail2Ban to protect your server from brute force login attacks for some common services.
Please note: Doing these actions may temporarily bring down your server. Do these actions with caution on a live site.
Prerequisites
- A Webdock cloud Ubuntu 20.04 instance with LEMP or LAMP installed.
- You have shell (SSH) access to your VPS.
How to Install Fail2Ban
By default, Fail2Ban is installed in the Webdock LAMP/LEMP stack. If not installed you can install it using the following command:
$ sudo apt install fail2ban -y
Once Fail2Ban is installed, you can check the status of Fail2Ban with the following command:
$ sudo systemctl status fail2ban
Output:
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-05-24 12:08:07 UTC; 3min 5s ago
       Docs: man:fail2ban(1)
   Main PID: 341 (f2b/server)
      Tasks: 7 (limit: 464145)
     Memory: 14.6M
     CGroup: /system.slice/fail2ban.service
             └─341 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
May 24 12:08:07 ubuntu systemd[1]: Starting Fail2Ban Service...
May 24 12:08:07 ubuntu systemd[1]: Started Fail2Ban Service.
May 24 12:08:08 ubuntu fail2ban-server[341]: Server ready
How to Configure Fail2Ban?
Fail2Ban configuration files are located inside the /etc/fail2ban directory. You can check them with the following command:
$ sudo ls -l /etc/fail2ban/
You should see the following output:
drwxr-xr-x 2 root root 65 Jun 4 2020 action.d -rw-r--r-- 1 root root 2817 Jan 11 2020 fail2ban.conf drwxr-xr-x 2 root root 2 Mar 2 2020 fail2ban.d drwxr-xr-x 3 root root 90 Jun 4 2020 filter.d -rw-r--r-- 1 root root 25740 Jan 11 2020 jail.conf drwxr-xr-x 2 root root 4 Jun 4 2020 jail.d -rw-r--r-- 1 root root 645 Jan 11 2020 paths-arch.conf -rw-r--r-- 1 root root 2827 Jan 11 2020 paths-common.conf -rw-r--r-- 1 root root 573 Jan 11 2020 paths-debian.conf -rw-r--r-- 1 root root 738 Jan 11 2020 paths-opensuse.conf
Where the jail.conf is the main configuration file with all available options. The jail.conf contains jail configuration for many services like, HTTP, FTP, SSH, Squid, Monit, Horde, Drupal and more. You just need to add "enabled = true" below each jail configuration section to enable the specific jail.
A brief explanation of the most commonly used configuration options is shown below:
- port: Define the service name or service port.
- logpath: Define the name of the log file fail2ban checks for.
- bantime: Define the number of seconds a host will be blocked by fail2ban.
- maxretry: Define the maximum number of failed login attempts a host is allowed before it is banned.
- ignoreip: Define the IP addresses that fail2ban will ignore.
It is recommended to configure a Fail2Ban by creating a new configuration file named after the specific service /etc/fail2ban/jail.d/ directory instead of editing the existing jail.conf file.
Configure Fail2Ban for SSH
Note: For this to work you need to install the WP fail2ban plugin from your WP dashboard, and then follow the below instructions.
On Ubuntu Fail2Ban for SSH should automatically be enabled once you install Fail2Ban, but you can check if it is indeed enabled in the main jail.conf file or by checking the jail status with the CLI tool as shown in the sections below.
To manually configure Fail2Ban for SSH, you will need to create a jail.local file:
$ sudo nano /etc/fail2ban/jail.d/sshd.conf
Add the following lines:
[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 120 ignoreip = whitelist-IP
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
The above configuration will block the remote IPs after three failed attempts to log in to your server via SSH. The remote host's IP will be blocked for 120 seconds.
Configure Fail2Ban for Webmin
To protect Webmin with Fail2Ban, edit the file jail.local as shown below:
$ sudo nano /etc/fail2ban/jail.d/webmin.conf
Add the following lines:
[webmin-auth] enabled = true port = 10000 filter = webmin-auth logpath = /var/log/auth.log maxretry = 3 bantime = 120
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
This configuration will monitors /var/log/auth files for unsuccessful login attempt to Webmin and block them for 120 seconds.
Configure Fail2Ban for WordPress
To protect the WordPress admin panel with Fail2Ban, you will need to download the Fail2ban filter configuration file for WordPress. You can download it with the following command:
$ sudo wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf
Next, create a Jail for WordPress by editing the file jail.local:
$ sudo nano /etc/fail2ban/jail.d/wordpress.conf
Add the following lines:
[wordpress] enabled = true filter = wordpress logpath = /var/log/auth.log maxretry = 3 port = http,https bantime = 300
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
Configure Fail2Ban for ProFTP
To configure Fail2Ban for ProFTP, edit the file jail.local:
$ sudo nano /etc/fail2ban/jail.d/proftp.conf
Add the following lines:
[proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3 bantime = 300
Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.
$ sudo systemctl restart fail2ban
How to Check the Status of Jail
You can list all the activated Fail2Ban jail by running the following command:
$ sudo fail2ban-client status
You should get all activated jail in the following output:
Status |- Number of jail: 6 `- Jail list: proftpd, pure-ftpd, sshd, webmin-auth, wordpress
If you want to check the banning status of specific Fail2Ban jail (SSH), run the following command:
$ sudo fail2ban-client status sshd
You should see all IPs banned by Fail2Ban in the following output:
Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 14 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 3 |- Total banned: 3 `- Banned IP list: 209.208.62.183 221.181.185.19 222.186.30.112
You can also check the Fail2Ban log for the banned IPs:
$ sudo tail -f /var/log/fail2ban.log
Output:
2021-05-24 12:32:53,084 fail2ban.filter [8715]: INFO [ssh] Found 222.186.30.112 - 2021-05-24 12:32:53 2021-05-24 12:32:53,117 fail2ban.actions [8715]: NOTICE [ssh] Ban 222.186.30.112
If you want to block any remote IP address manually for SSH service, run the following command:
$ sudo fail2ban-client set sshd banip remote-ip-address
You can also check the Iptables rules added by Fail2Ban with the following command:
$ sudo iptables -nL
Output:
... Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 222.186.42.7 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
How to unban IPs banned by Fail2Ban
By default, Fail2ban automatically unban the banned IPs at a predefined interval of time which you have specified in jail.local file.
To unban the banned IP manually, run the following command:
$ sudo fail2ban-client set sshd unbanip remote-ip-address
You can also add the trusted remote IPs in the jail.local file so that Fail2Ban will ignore those IPs.
$ sudo nano /etc/fail2ban/jail.local
Add the following lines at the top of the file:
[DEFAULT] ignoreip = trusted-ip1 trusted-ip2
Save and close the file. Then, restart Fail2Ban to apply the configuration.
$ sudo systemctl restart fail2ban
Conclusion
In the above guide, you learned how to install and configure Fail2Ban for different services on a Ubuntu web server. We hope this will help you to configure Fail2Ban for other services to stop malicious users from hacking your site. If there is a service you want to see included in this article, leave a comment below or be in touch with Webdock support.