How to Use Fail2Ban to Block Brute Force Attacks on Ubuntu
Brute force attacks are a common method used by malicious actors to gain unauthorized access to servers and accounts. These attacks involve systematically trying a large number of passwords until the correct one is found. Fortunately, one effective way to protect your Ubuntu server from these attacks is by using Fail2Ban, a powerful intrusion prevention software that monitors log files and bans IP addresses that exhibit malicious behavior. This article will guide you through the process of installing and configuring Fail2Ban on your Ubuntu system to safeguard against brute force attacks.
What is Fail2Ban?
Fail2Ban works by scanning log files for failed login attempts and automatically blocking the offending IP addresses for a specified period. It does this by creating firewall rules that deny access to these IPs, significantly reducing the chances of a successful brute force attack. By leveraging Fail2Ban, you can bolster your server’s security without needing to constantly monitor login attempts manually.
Installing Fail2Ban
To get started, you need to install Fail2Ban. Follow these steps:
Update Your System: Ensure your package lists are up-to-date by running:
sudo apt update
sudo apt upgrade
- Install Fail2Ban: You can easily install Fail2Ban from the default repositories with the following command:
sudo apt install fail2ban
- Start and Enable the Fail2Ban Service: Once the installation is complete, start the Fail2Ban service and enable it to launch at boot:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
- Verify Installation: To check if Fail2Ban is running, you can use:
sudo systemctl status fail2ban
If everything is working correctly, you should see the service listed as active (running).
Configuring Fail2Ban
After installing Fail2Ban, the next step is to configure it to monitor for brute force attacks. By default, Fail2Ban comes with a configuration file located at /etc/fail2ban/jail.conf. However, it is advisable not to modify this file directly. Instead, create a local configuration file to override the default settings.
- Create a Local Configuration File:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the Local Configuration File:
Open the jail.local file in your preferred text editor:
sudo nano /etc/fail2ban/jail.local
Configure Basic Settings: In the jail.local file, look for the following settings and modify them as needed:
- bantime: The duration for which an IP address will be banned. Set it to a suitable time (e.g., 3600 seconds for 1 hour).
- findtime: The time frame in which failed login attempts will be counted (e.g., 600 seconds).
- maxretry: The maximum number of failed login attempts before an IP is banned.
Here’s an example of these settings:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
Enable SSH Protection: To protect your SSH server from brute force attacks, locate the [sshd] section in the jail.local file. Make sure the following lines are present and uncommented:
[sshd]
enabled = true
Configure Email Notifications (Optional): If you want to receive email notifications when an IP is banned, you can configure the action line under the [DEFAULT] section. Set the email address to which alerts should be sent:
action = %(action_mwl)s
destemail = [email protected]
Save and Exit: After making your changes, save the file and exit the editor.
Starting Fail2Ban
Once you have configured Fail2Ban, restart the service to apply your changes:
sudo systemctl restart fail2ban
You can check the status of Fail2Ban again to ensure it’s running correctly:
sudo systemctl status fail2ban
Monitoring Fail2Ban
To monitor the logs and see which IP addresses have been banned, you can use:
sudo fail2ban-client status sshd
This command will display the status of the SSH jail, including the number of currently banned IP addresses.
Thank you for visiting our page! Don’t forget to check out our other article through the link below to enhance your Linux skills. Also, be sure to read our guide on How to Set Up a Docker Swarm Cluster on Ubuntu! 🙂
