How to Install Fail2Ban on Ubuntu 18.04

r00t May 24, 2018

Install Fail2Ban on Ubuntu 18.04

In this tutorial we will show you how to install Fail2Ban on Ubuntu 18.04. We will also install and configure its prerequisites. Fail2Ban is a free and open source intrusion prevention software tool written in the Python programming language which can be used to protect servers from various kinds of attacks. Fail2Ban works by continuously monitoring various log files (Apache, SSH) and conducting scripts according to them. Mostly it is used to block IP addresses which are trying to breach the system’s safety. It can be used to block any IP address which is attempting to make lots of illegitimate login attempts. Fail2Ban is put up to block malicious IP address within a time limit defined by administrator. Fail2Ban can be configured to send email notifications when someone’s attacking your server. The main purpose of Fail2ban is to scans log files for a variety of services, such as SSH, FTP, SMTP, Apache and obstruct the IP address which makes too many password failures.

I recommend to use a minimal Ubuntu server setup as a basis for the tutorial, that can be a virtual or a root server image with an Ubuntu 18.04 LTS minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.

Install Fail2Ban on Ubuntu 18.04

Step 1. First, ensure your system and apt package lists are fully up-to-date by running the following:

apt-get update -y
apt-get upgrade -y

Step 2. Installing Fail2ban on Ubuntu 18.04

By default Fail2ban is available in Ubuntu 18.04 default package repository. So you can easily install it by just running the following command:

sudo apt-get install fail2ban sendmail

Step 3. Configure Fail2Ban.

Let’s make some changes that fit our server as it stands right now:

nano /etc/fail2ban/jail.local

Add the following lines:

##To block failed login attempts use the below jail.
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 600
ignoreip = 192.168.0.666
 
##To block the remote host that is trying to request suspicious URLs, use the below jail.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 600
ignoreip = 192.168.0.666
 
##To block the remote host that is trying to search for scripts on the website to execute, use the below jail.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 600
ignoreip = 192.168.0.666
 
##To block the remote host that is trying to request malicious bot, use below jail.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 600
ignoreip = 192.168.0.666
 
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 192.168.0.666
action = iptables[name=HTTP, port=http, protocol=tcp]
 
##To block the failed login attempts on the SSH server, use the below jail.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
ignoreip = 192.168.15.189

We are using sendemail for our scripts so we will also use it for fail2ban. We will need to make a configuration file that tells fail2ban how to make use of it though:

nano /etc/fail2ban/action.d/sendemail-whois-lines.conf

Add the following lines:

[Definition]
actionstart =  /usr/bin/sendemail -f <sender> -t <dest> -s <smtp> -xu <sender> -xp <password> -u "[Fail2Ban] <servername> <name>: started" -m "The jail <name> has been started successfully.\n\nFail2Ban"
actionstop =  /usr/bin/sendemail -f <sender> -t <dest> -s <smtp> -xu <sender> -xp <password> -u "[Fail2Ban] <servername> <name>: stopped" -m "The jail <name> has been stopped.\n\nFail2Ban"
actioncheck =
actionban =  /usr/bin/sendemail -f <sender> -t <dest> -s <smtp> -xu <sender> -xp <password> -u "[Fail2Ban] <servername> <name>: banned <ip>" -m "The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\nHere is more information about <ip>:\n `/usr/bin/whois <ip>`\n\n Lines containing IP:<ip> in <logpath>\n`/bin/grep '\<<ip>\>' <logpath>`\n\n\n\nFail2Ban"
actionunban =

[Init]
## Amended to be the same as the SMTP user
sender = fail2ban@myvpsource.com
## SMTP password for user
#password = XXXXXXX
## SMTP server - use port 587 for Google rather than 25 (times out too often) or 465 (crashes sendemail)
#smtp = smtp.googlemail.com:587
smtp = srv-mail

## Name for this server - handy when there are lots of servers sending emails to the destemail
servername = srv-ubuntu

Save the file and restart the fail2ban service:

systemctl restart fail2ban

Congratulation’s! You have successfully install and configured Fail2Ban on your Ubuntu 18.04 LTS server. Thanks for using this tutorial installing Fail2Ban on Ubuntu 18.04 (Bionic Beaver) system.

The Tags:

Leave a Comment

Comments are closed.