Saturday, November 9, 2024

How To Install Fail2ban On Ubuntu 20.04 LTS

Fail2ban is an intrusion prevention software framework widely-used to protect the system from Brute Force and DDoS attacks. It dynamically blocks clients that repeatedly fail to authenticate correctly with the services configured for it. It monitors the system logs in real-time to identify the automated attacks and block the attacking client to restrict the service access either permanently or a specific duration. We can also configure Fail2ban to trigger the emails for all the attacks identified by it. It sends the details including the service being attacked and the source IP address used for the attack.

This tutorial provides the steps to install Fail2ban and use it to protect SSH server authentication and FTP server authentication from brute-force attacks.

Prerequisites

This tutorial assumes that you have already installed Ubuntu 20.04 LTS server for production usage. It also assumes that you have either root privileges or a regular user with sudo privileges.

Install Fail2ban On Ubuntu 20.04 LTS

This section provides the commands required to install Fail2ban on Ubuntu 20.04 LTS. Use the below-mentioned command to install Fail2ban.

# Install Fail2ban
sudo apt install fail2ban

# Output
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  python3-pyinotify whois
Suggested packages:
  mailx monit sqlite3 python-pyinotify-doc
The following NEW packages will be installed:
  fail2ban python3-pyinotify whois
---
---
Setting up fail2ban (0.11.1-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service.
Setting up python3-pyinotify (0.9.6-1.2ubuntu1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3)

Now we will verify the installation by checking the Fail2ban service status as shown below.

# Fail2ban Status
sudo systemctl status fail2ban

# Output
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2020-06-07 20:07:24 IST; 2min 40s ago
       Docs: man:fail2ban(1)
   Main PID: 61291 (f2b/server)
      Tasks: 5 (limit: 4624)
     Memory: 15.4M
     CGroup: /system.slice/fail2ban.service
             └─61291 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
---
---

The default configuration directory of Fail2ban is located at /etc/fail2ban. The default configurations of Fail2ban are specified in fail2ban.conf and jail.conf. We should not update these files, since Fail2ban scans for the local version of the default configuration files i.e. fail2ban.local and jail.local to override or update the configurations.

Notes: We can always refer /etc/fail2ban/jail.conf to check the default values of all the standard services supported by Fail2ban.

Recommended:  What Is Remote Code Execution? How To Prevent RCE?

Now we will do the basic configuration of Fail2ban by adding and updating the files fail2ban.local and jail.local as shown below.

# Create and update fail2ban.local
sudo nano /etc/fail2ban/fail2ban.local

# Basic Configuration
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log

# Save and exit the editor by pressing Ctrl + o -> Enter -> Ctrl + x

# Create and update jail.local
sudo nano /etc/fail2ban/jail.local

# Basic Configuration
[DEFAULT]
bantime = 1800
findtime = 600
maxretry = 3
backend = systemd

# Save and exit the editor by pressing Ctrl + o -> Enter -> Ctrl + x

# Restart Fail2ban
sudo systemctl restart fail2ban

We have created and updated the file /etc/fail2ban/fail2ban.local and configured the Fail2ban to log up to the INFO level and also specified the file to generate the logs. The possible values of log level are CRITICALERRORWARNINGNOTICEINFO, and DEBUG where DEBUG is the lowest level and generates more details. We can enable the DEBUG level only when low-level details are required to analyze the attack.

We have also created and updated the file /etc/fail2ban/jail.local and configured the Fail2ban to ban a client or host for 1800 seconds (half-hour) if it has generated the maxretry i.e. 3 failed attempts during the last find time i.e. 600 seconds (10 minutes). The host gets banned for 600 seconds after 3 consecutive failed attempts in the last 600 seconds. Also, we can specify the bantime and findtime values in minutes or hours by adding the suffix m or h e.g. 10m for 10 minutes and 1h for 1 hour. We have also specified the backend as systemd to get files modification.

This completes the installation of Fail2ban with the basic configuration on Ubuntu 20.04 LTS.

Fail2ban Client

The fail2ban-client command can be used to check activated jails and banned IPs. It can also be used to whitelist or unban the IPs for a specific jail.

Active Jails

Now execute the below-mentioned command to check the active jails. It lists the jails activated by us. Also, note that Fail2ban on Ubuntu activates sshd jail by default.

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail:	1
`- Jail list:	sshd

Since we didn’t activate any jail, it showed sshd as the only active jail just after installing Fail2ban.

Jail Status

Use the below-mentioned command to check the status of a specific jail. It also shows the banned IPs of the given jail.

# Jail Status
sudo fail2ban-client status <Jail>

# Example
sudo fail2ban-client status sshd

# Output
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:


Ban IP

Use the below-mentioned command to ban the IP from the specified jail.

# Ban IP Address
sudo fail2ban-client set <Jail> banip <IP Address>

# Example
sudo fail2ban-client set sshd banip 127.0.0.1

# Output
1

# Jail Status
sudo fail2ban-client status sshd

# Output
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	127.0.0.1

We can also check the firewall to view the status of banned IP addresses as shown below.

# Check Firewall
sudo iptables -L

# Output
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  127.0.0.1        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere


Another way to check the ban output is by checking the logs of Fail2ban as shown below.

# Check Fail2ban Logs
tail -f /var/log/fail2ban.log

# Output
----
----
2020-06-08 17:36:14,598 fail2ban.jail           [66285]: INFO    Jail 'sshd' started
2020-06-08 17:36:14,599 fail2ban.jail           [66285]: INFO    Jail 'ssh' started
2020-06-08 17:37:40,467 fail2ban.actions        [66285]: NOTICE  [sshd] Ban 127.0.0.1

Unban IP

Use the below-mentioned command to unban the IP from the specified jail.

# Unban IP Address
sudo fail2ban-client set <Jail> unbanip <IP Address>

# Example
sudo fail2ban-client set sshd unbanip 103.94.65.121

# Output
1

# Jail Status
sudo fail2ban-client status sshd

# Output
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	1
   `- Banned IP list:

IP Whitelisting

We can specify the whitelisted IPs for all the jails by updating the ignoreip configuration of the default block in /etc/fail2ban/jail.local as shown below. The ignoreip can be a list of IP addresses, CIDR masks, or DNS hosts. Fail2ban will not ban the IP addresses specified in this list.

# Update jail.local
sudo nano /etc/fail2ban/jail.local

# Basic Configuration
[DEFAULT]
---
ignoreip = 127.0.0.1/8 xx.xx.xx.1/24 xx.xx.xx.xx
---

We can specify the IP address range or a specific IP as shown above. This will maintain a global list of the whitelisted IP addresses applied for all the services.

Recommended:  Common methods hackers use to hide credential stuffing attacks

We can also specify the whitelisted IP address for a specific jail by using the fail2ban-client command as shown below.

# Whitelist IP for a specific jail
sudo fail2ban-client set <jail> addignoreip xx.xx.xx.xx

# Example
sudo fail2ban-client set sshd addignoreip 127.0.0.1

# Output
These IP addresses/networks are ignored:
`- 127.0.0.1

SSH Jail to secure SSH Service

This section provides the configurations to secure the SSH Service either by updating the /etc/fail2ban/jail.local global file or updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/defaults-debian.conf created by Fail2ban while installing it. The required configurations to protect the SSH service are specified below. We can update either of the files /etc/fail2ban/jail.local/etc/fail2ban/jail.d/defaults-debian.conf, or /etc/fail2ban/jail.d/ssh.conf.

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h

Save the changes and reload fail2ban to check the status.

# Reload Fail2ban
sudo systemctl reload fail2ban

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail:	2
`- Jail list:	ssh, sshd

FTP Jail to secure vsftpd Service

This section provides the configurations to secure the vsftpd Service either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/vsftpd.conf. The required configurations to protect the vsftpd service are specified below.

Notes: It assumes that vsftpd is already installed.

[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 1h

Save the changes and reload fail2ban to check the status.

# Reload Fail2ban
sudo systemctl reload fail2ban

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail:	3
`- Jail list:	ssh, sshd, vsftpd

FTP Jail to secure pureftpd Service

This section provides the configurations to secure the pureftpd Service either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate jail for SSH i.e. /etc/fail2ban/jail.d/pureftpd.conf. The required configurations to protect the pureftpd service are specified below.

Recommended:  Best Practices To Hardening Your MacOS Security in 2022

Notes: It assumes that pureftpd is already installed.

[pureftpd]
enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 3
bantime = 1h

Save the changes and reload fail2ban to check the status.

# Reload Fail2ban
sudo systemctl reload fail2ban

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail:	3
`- Jail list:	ssh, sshd, pureftpd

Summary

This tutorial provided all the steps required to install Fail2ban and configure it to secure the services including ssh, vsftpd, and pureftpd.

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security