How To Install And Configure Fail2Ban On Ubuntu 14.04 Servers

Few days ago we showed you how to install and use DenyHosts on Ubuntu 14.04. This post is going to show you how to install and use similar tool called fail2ban on Ubuntu 14.04.

Like DenyHosts, fail2ban also checks your server logs to look for patterns that resemble an attack on your servers and services. If your servers are under an active attack, fail2ban bans the IP addresses that these attacks are originating from.

An active attack could be repeated fail attempts to sign onto your servers using SSH protocol with combination of different users and passwords. These are commonly known as brute force attacks.

DenyHosts and fail2ban are very good at detecting these attacks and may prevent your servers from being compromised.

If you haven’t read our previous post on installing and using DenyHosts, please check it here.

When you’re ready to install fail2ban on Ubuntu 14.04, continue below. The steps below will get you started.

Install Fail2ban Ubuntu

• Installing fail2ban on Ubuntu 14.04

To install fail2ban on Ubuntu, run the commands below.

sudo apt-get update && sudo apt-get install fail2ban

 

After installing the tool, its default configuration file should be installed at this location /etc/fail2ban/jail.conf. This is the file you’ll need to edit to suite your environments.

Many of the services that are needed to be protected are in the file already under their own sections configured and disabled. You must individually each of the service that are running on your servers.

 

• Configuring fail2ban

To open the file and begin configuring the file, run the commands below

sudo vi /etc/fail2ban/jail.conf

 

By default the SSH protocol is enabled and protected. Without further changes, anyone trying to brute force their way into your server will automatically be banned or locked out after 6 tries. Fail2ban protects the default protocol ports. If your configure services on your server to use a non-standard port, then you must specify the new port number for the service.

For example, if you change your ssh port number from the default to 2222, you  must define it in the configuration.

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

Other services are configured but are not enabled. You can tell by the value false for enabled under each service.

To enable and protect a service that is running on your server, scroll down to the service section and change the value for Enabled to true.

Since must servers are designed to only run the minimum of services, you may only need to protect SSH. Other services like Apache2 and Xnit.d might not need to be configured.

For each section;

Enabled — simply means that the server is enabled for monitoring by fail2ban.

Port = is the port number of the service to monitor. By default, fail2ban monitors standard ports, so if you changed the port for a service to something other than the standard, you must specify it.

Filter = refers to the rules and strings that fail2ban uses to spot an attack against a particular service.

Logpath = refers to the log location that fail2ban tracks.. by default it’s the auth.log file. If that’s changed for you OS, you must specify it there too.

So, configure your environment and stay secure.

Enjoy!