How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu)
| |Fail2Ban is a simple script designed to scan log files for repeated failed login attempts and to ban IP addresses that make too many failures. Commonly that’s a brute force attempt to find correct password combination to login to a server via SSH. While I’ve posted how to set maximum connection limit from an IP address to your server by updating Iptables rules, Fail2ban will simply update firewall rules to reject the IP address automatically (once detected attempting a brute force). Yet, I also posted some basic and common practices for initial Ubuntu server setup including how to disable root login and change default SSH port. But in many cases that shouldn’t be enough. So if you’ve just finished the whole steps to build your own production server on Ubuntu, you may also need to install Fail2ban on it. In this page I’ll try to explain necessary steps how to install Fail2ban and some basic configurations.
How to Install and Setup Fail2ban
Step 1 – Login to your server via your favorite SSH client. Windows users can simply use Putty, it is free, small, portable and awesome. If you’ve disabled root login, then simply login with the username you setup then type “su” followed by entering your root password.
Step 2 – Now issue this command syntax to install fail2ban on your server:
You may firstly need to update your apt (not necessary but you may):
apt-get update
then this command is the one to install fail2ban
apt-get install fail2ban
screenshot:
Step 3 – Now you have to setup Fail2ban’s configuration. By default, Fail2ban configuration has included many of possible services that may need the protection. Before you make changes to default config file, you have to make a copy first. Issue following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
It should look like this
Step 4 – The command above copies “jail.conf” file to “jail.local” which you can make some changes to the config there. Now edit that file using our favorite text editor, Nano:
nano /etc/fail2ban/jail.local
It should look like this..
Step 5 – Now make some changes (if you wish and if you need to) in the first section of the config. The first section called “DEFAULT” which is covering all basic rules that fail2ban will follow.
The main important part is “ignore ip”. You can add your own IP address there so in case if you forgot the password you won’t be banned for trying some combinations no matter how many times you try. It means by adding your IP in the white list you can avoid accidentally ban yourself.
Also do not forget to set “bantime” which rules how many seconds a banned user will still been locked out. Default value is 600 seconds or 10 minutes. You can adjust that value as you wish but you better raise the value because most of brute force bots will simply move on to the next target once banned by the server.
Below “bantime” line is “maxretry”. This line defines how the amount of incorrect login attempts that a single IP may have before it gets banned for the length of the ban time you’ve defined. Default value is “3” but you can lower that value to “2” or “1”. The lower is better but make sure you white-listed your IP already in the “ignore ip” line above.
The next line is “backend” which you can simply leave its value as “auto”. Now move to another line, “destemail”. In this line you can define to which email address all alerts will be sent. Simply change root@localhost to your own personal email address. But you have to make sure that your server has a working mail server already to be able to send outgoing email. Read my previous tutorial about how to install Postfix on Ubuntu server.
Step 6 – Now move to the next section which is “Action”. Well, you can simply leave those lines as it is if you don’t really sure. All default value should be adequate for fail2ban to work correctly. Now you have to move a little bit down below and find the [ssh] section.
You also don’t have to change that section. Its default values indicating that SSH protection is currently enabled / ON. You can change “enabled = true” to false if you want to turn OFF the protection.
You can change the “port = ssh” line to the custom port number your SSH connection is designated. For instance, you’ve changed default SSH port from 22 to 2200, then change it to “port = 2200”
Once done editing, hit Control+O to save then Control+X to exit Nano editor screen.
Step 7 – That’s it. Now to make sure Fail2ban loads your newly defined config, simply do a restart. Issue this command:
service fail2ban restart
Q: I rebooted the server, does it starts automatically?
Yes, Fail2ban service will automatically start each time your server reboots.
That’s it. Don’t forget to follow me on Twitter. Do not hesitate to leave comment below. Also catch all my tutorials on how to manage unmanaged Ubuntu server. Enjoy!!
Thanks ServerMom! Worked like a charm. And let me compliment you on your English skills. Can we get rid of jail.local after installation? I ftp’d to /etc/fail2ban/jail.conf and changed “bantime” in the file, but it didn’t seem to work. I then had to go to /etc/fail2ban/jail.local and change it there too, and it worked.
Hi mom, 🙂
I have a problem regarding ssh. I simply cannot login into my vps using ssh. I must reboot my vps in order to log on into my vps. At my first attempt I was able to login, then second attempt, and third. Then I log off for hours. When I get back, suddenly I can’t login into my vps. Whereas I didn’t install fail2ban and didn’t setting iptables. So I think something is wrong with my ssh configuration. Have you experience this before? I built my vps with tuxlite script. Thanks
If you didn’t mess around with your ssh config yet, then it should be your vps or perhaps its node server. But if you did, try reviewing your ssh configuration 🙂
I only change the default port mom, btw is it possible that it was caused by low memory ram? ssh cannot be loaded into memory. My memory stats is always 91% out of 128 MB RAM…
Could be, especially if there’s no vswap or brust. When a vps is OOM, usually everything will run abnormally 😀 or sometimes it’s just stop responding
Hi. I have done all acording to your advice, except I don’t add my ip to ignore list, becouse I wanted to see the results. It works just fine, just the fact that I can’t login to ssh port anymore. The operation took place yesterday, and today after 10 hours i still can’t log in. How can I remove the ban for my IP?
Thanks for the post.installed fail2ban .worked alrite
Nice tutorials, but you should get attention on this. You may test your regex fail2ban before implemented it to your server first.
Since fail2ban read your logs fail, you should get the right sshd fail2ban regex in /etc/fail2ban/filter.d/sshd.conf
cheers.
Thanks for post. Found instruction for upgrading fail2ban from 0.8.6 to 0.9 under Ubuntu 12.04. Maybe somebody will be interest – http://sysadm.pp.ua/linux/backport-fail2ban-update.html
thanks