Fail2ban helps to protect Linux servers from brute-force and DDOS attacks.
It scans logs for IP addresses that show the malicious signs and bans that IP addresses for a specified amount of time using iptables.
This article describes how to install and configure fail2ban on Ubuntu, CentOS and similar Linux distributions.
You’ll also learn how to protect SSH server from DDOS and brute-force attacks and how to manually unban IP address that was banned by fail2ban.
Install Fail2Ban on Ubuntu
Type the following command to install fail2ban on Ubuntu:
$ sudo apt-get install fail2ban
Install Fail2Ban on CentOS
There is no fail2ban package in the default CentOS repository, but it can be found in EPEL.
As only EPEL repository is enabled, you can install fail2ban:
$ sudo yum install fail2ban
Configure Fail2Ban
The default fail2ban configuration file is /etc/fail2ban/jail.conf.
However it is not recommended to modify /etc/fail2ban/jail.conf directly.
Instead, we should work with a local copy called jail.local, which will override the jail.conf file.
Make a local copy of fail2ban configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local:
$ sudo vi /etc/fail2ban/jail.local
Pay attention to the global options in [DEFAULT] section.
It covers the basic rules that fail2ban will follow:
| Option | Description |
|---|---|
ignoreip |
Don’t ban a host which matches an address in this list. Several addresses can be defined using space separator. |
bantime |
Duration (in seconds) for IP to be banned for. Negative number for permanent ban. Default is 10 minutes. |
findtime |
The time window (in seconds) within which fail2ban keeps track failed login attempts. Default is 10 minutes. |
maxretry |
The number of failures before a host get banned. Default is 3 attempts. |
If you want to set up more nuanced protection, you can override the global options and customize the details in each jail (section with rules for each application).
Protect SSH Server with Fail2Ban
After completing with [DEFAULT] section, go down and update [ssh-iptables] section as below:
[ssh-iptables]
# 'enabled = true' means that SSH protection is on.
# It can be turned off with 'enabled = false'.
enabled = true
# Use filter: /etc/fail2ban/filter.d/sshd.conf
filter = sshd
# Action describes the steps that Fail2Ban will take to ban a matching IP address.
action = iptables[name=SSH, port=ssh, protocol=tcp]
# Send notifications to admin@example.com
sendmail-whois[name=SSH, dest=admin@example.com, sendername="Fail2Ban"]
# Log location that Fail2Ban will track
logpath = /var/log/secure
# if during 1 hour
findtime = 3600
# 5 failed login attempts would be detected
maxretry = 5
# host will be banned for 24 hours
bantime = 86400
Fail2ban is not limited to SSH only. Out of the box Fail2Ban comes with filters for various services (SSH, apache, asterisk, postfix, etc.), but only [ssh-iptables] jail is activated by default.
Tweaking Fail2Ban Filters
If you wish to tweak the existing filters or add new filters, you can find them in the /etc/fail2ban/filter.d directory.
For example, to modify fail2ban filter for OpenSSH, edit the following file:
$ sudo vi /etc/fail2ban/filter.d/sshd.conf
Start Fail2Ban
fail2ban is already configured to start during the system boot by default.
Don’t forget to restart fail2ban, each time after making any changes in it’s settings:
$ sudo service fail2ban restart
Test Fail2Ban
To test fail2ban and to see the rules that fail2ban puts in effect, look at iptables:
$ sudo iptables -L
Manually UnBan IP Banned by Fail2Ban
Use the flowing command to manually unban IP address, banned by fail2ban:
$ sudo fail2ban-client set JAIL unbanip IP
Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:
$ sudo fail2ban-client set ssh-iptables unbanip 192.168.1.101
