How to Install Fail2ban on Ubuntu 18.04

Posted October 15, 2019

Fail2ban is a great piece of security software. It monitors your logfiles to spot anyone trying to login via SSH too many times (ie. brute force attack), and then it bans their IP address for a while.

It can actually do more than that (email you for instance), but that's the way most people use it, and that's what we're going to focus on during this tutorial.

Since most Chunkhost customers use Ubuntu Linux, this tutorial covers Ubuntu 18.04. If you're using something else, like CentOS perhaps, and you'd like a tutorial, let us know.

Installing Fail2ban

Step 1: Back up your server

A good first step is to take a quick snapshot of your server (go here and click "Details"). Chunkhost automatically takes free daily backups for all customers, but having an up-tp-the-minute snapshot can't hurt.

Step 2: Update your server software

Now, let's make sure all the software on your server is up to date. This is optional, and if Fail2ban needs a certain version of something, it'll tell you, but it's still a good idea to do this.

apt-get update && apt-get upgrade

Step 3: Install Fail2ban

The final installation step is pretty darn simple:

apt-get install fail2ban

If you get any weird errors, you can alway check StackOverflow, but this installation should work 99.9% of the time.

Configuring Fail2ban

By default, Fail2ban protects SSH, so if you just want to stop people from trying to brute force log in to your server, you don't actually have to change anything. Once you install Fail2ban, it begins working right away, and will restart anytime you reboot your server.

But if you do want to get a little deeper into the config, you can do that. Setting the software up looks daunting at first, but it's not actually tough. Let's jump in:

Setting up a fail2ban.local file (You can probably skip this*)

By default, Fail2ban uses a file called fail2ban.conf for configuration. We don't want to add any custom settings in there, because when we update Fail2ban in the future, it will overwrite our changes. Custom changes go in a fail2ban.local file, so let's create that:

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

*The main things in this file are the log location, and the loglevel (how much information the log records). If you don't want to change the defaults (which are fine for most users), you can skip this step.

Setting up a jail.local file (You might be able to skip this*)

Fail2ban used a file named jail.conf to configure most of its settings. Some of the things this covers include:

  • What services it watches for brute force attacks.
  • How many login attempts someone can make before being banned.
  • How long their IP is banned for.

By default, if someone tries to log in unsuccessfully 5 times, they get banned for 10 minutes. This is a fairly good setting, and will stop anyone from being able to launch a serious attack on your server from a single IP. You could change these settings if you wish (bearing in mind that you don't want to accidentally lock out legitimate users for too long if they somehow mess up their logins a bunch of times.)

To change them, you have to create a jail.local file since, again, the .conf files may be overwritten in the future when you update Fail2ban. Here's the command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Once you've made your new jail.local file, you can edit it:

nano -w /etc/fail2ban/jail.local

I'll point out some of the lines you can look for, but the format of the file is pretty clear:

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5

Conclusion

This has been a fairly quick look at getting Fail2ban up and running on your server, and blocking SSH attacks. There are a lot of great tutorials out there on getting really deep with it, and customizing it, so if you want to go a lot further, you definitely can.

We're planning to write some more tutorials on Fail2ban, so keep your eyes on our knowledge base!

Company
Support
CHUNKHOST
© 2023 Chunkhost Corp.
All rights reserved.