Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It monitors server log files for patterns of repeated failed login attempts and blocks the IP addresses associated with these attempts. Fail2Ban uses iptables by default to block the offending IP addresses, but it can be configured to work with other firewalls as well. It is highly configurable and allows the administrator to set the number of failed attempts that trigger a ban, the duration of the ban, and the log files to monitor. It can also be configured to send email notifications when an IP address is banned. Fail2Ban is an essential tool for server administrators to protect against unauthorized access and improve server security.
Let’s install it:
sudo apt install fail2ban
We are changing logging failures into bans on the firewall
sudo systemctl enable --now fail2ban
Now, we have to tell it what service to monitor etc
Copy touk@ubuntu-server:~$ cd /etc/fail2ban/
touk@ubuntu-server:/etc/fail2ban$ ls
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.d paths-arch.conf paths-common.conf paths-debian.conf paths-opensuse.conf Anything defined inside jail.conf is a protected service
it is recommended to create your own file start with jail.local, because when system update occur it will overwrite your configuration
Inside /etc/fail2ban/filter.d You will find a list of files that ends with .conf and basically these files are the known services for fail2ban
Copy touk@ubuntu-server:/etc/fail2ban/filter.d$ ls
3proxy.conf centreon.conf froxlor-auth.conf named-refused.conf qmail.conf sshd.conf
apache-auth.conf common.conf gitlab.conf nginx-botsearch.conf recidive.conf stunnel.conf
apache-badbots.conf counter-strike.conf grafana.conf nginx-http-auth.conf roundcube-auth.conf suhosin.conf
apache-botsearch.conf courier-auth.conf groupoffice.conf nginx-limit-req.conf scanlogd.conf tine20.conf
apache-common.conf courier-smtp.conf gssftpd.conf nsd.conf screensharingd.conf traefik-auth.conf
apache-fakegooglebot.conf cyrus-imap.conf guacamole.conf openhab.conf selinux-common.conf uwimap-auth.conf
apache-modsecurity.conf directadmin.conf haproxy-http-auth.conf openwebmail.conf selinux-ssh.conf vsftpd.conf
apache-nohome.conf domino-smtp.conf horde.conf oracleims.conf sendmail-auth.conf webmin-auth.conf
apache-noscript.conf dovecot.conf ignorecommands pam-generic.conf sendmail-reject.conf wuftpd.conf
apache-overflows.conf dropbear.conf kerio.conf perdition.conf sieve.conf xinetd-fail.conf
apache-pass.conf drupal-auth.conf lighttpd-auth.conf phpmyadmin-syslog.conf slapd.conf znc-adminlog.conf
apache-shellshock.conf ejabberd-auth.conf mongodb-auth.conf php-url-fopen.conf softethervpn.conf zoneminder.conf
assp.conf exim-common.conf monit.conf portsentry.conf sogo-auth.conf
asterisk.conf exim.conf murmur.conf postfix.conf solid-pop3d.conf
bitwarden.conf exim-spam.conf mysqld-auth.conf proftpd.conf squid.conf
botsearch-common.conf freeswitch.conf nagios.conf pure-ftpd.conf squirrelmail.conf Let’s say i want to protect SSH, i would create the jail.local file and add the config:
sudo vim jail.local
Copy [DEFAULT]
bantime = 1h
banaction = ufw
[sshd]
enabled = true sudo systemctl restart fail2ban
If any brute force attack happens, i’ll see some ufw rules denying ip addresses when i issue sudo ufw staus
but because nobody is banned we can use something :
sudo fail2ban-client status
Copy Status
| - Number of jail: 1
` - Jail list: sshd to see status for a particular jail
sudo fail2ban-client status sshd
Copy Status
| - Number of jail: 1
` - Jail list: sshd
touk@ubuntu-server:/etc/fail2ban$ ^C
touk@ubuntu-server:/etc/fail2ban$ sudo fail2ban-client status sshd
Status for the jail: sshd
| - Filter
| | - Currently failed: 0
| | - Total failed: 0
| ` - File list: /var/log/auth.log
` - Actions
| - Currently banned: 0
| - Total banned: 0
` - Banned IP list: You can go and brute force your own server using Hydra or john the ripper