Fail2ban is a powerful Python-based security tool that helps protect Linux systems from brute-force attacks by blocking IP addresses that attempt to log in with incorrect credentials.
It monitors log files for failed login attempts and other suspicious activities. When it detects such activities, it bans the offending IP addresses by modifying firewall rules.
Installing Fail2ban on Ubuntu 24.04
sudo apt updatesudo apt install fail2banAfter installation, verify that Fail2ban is installed correctly by checking its version.
fail2ban-client --version
Fail2Ban v1.0.2Configuring Fail2ban on Ubuntu 24.04
The /etc/fail2ban directory is the primary location for Fail2Ban configuration files and logs. This directory contains several subdirectories and files that are essential for Fail2Ban’s functionality.
Here’s a breakdown of the key components:
action.d: This directory contains action scripts that Fail2Ban uses to ban IP addresses. These scripts are specific to the firewall or service being used (e.g.,iptables,ufw,nftables).filter.d: This directory contains filter configuration files that define how Fail2Ban identifies and bans IP addresses. These filters are specific to the service being monitored (e.g.,SSH,HTTP,FTP).jail.d: This directory contains jail configuration files that define the specific services Fail2Ban monitors and the rules for banning IP addresses.paths-arch.conf,paths-common.conf,paths-debian.conf,paths-opensuse.conf: These files contain paths specific to different Linux distributions.fail2ban.conf: This is the main configuration file for Fail2Ban, which contains global settings and options.jail.conf: This file contains the default jail configurations for various services.jail.local: This file is used to override the default jail configurations. It is recommended to create ajail.localfile to ease upgrades and make customizations.fail2ban.log: This is the main log file for Fail2Ban, where it records its actions and events.
Fail2ban has default configuration files that you can customize according to your needs. The main configuration file is at /etc/fail2ban/jail.conf.
However, it is recommended to create a local copy (/etc/fail2ban/jail.local) to prevent your changes from being overwritten during updates.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo nano /etc/fail2ban/jail.localIn the configuration file, locate the [ssh] section and uncomment the lines and modify values to adjust Fail2ban’s behavior as shown.
maxretry: This defines the maximum number of failed login attempts before an IP address is banned.findtime: This sets the time window within which the maxretry attempts must occur to trigger a ban.bantime: This defines the duration for which an IP address is banned after exceeding the maxretry attempt.
[ssh]
enabled = true
maxretry = 3
findtime = 10
bantime = 4hsudo systemctl restart fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2banTesting Fail2ban in Ubuntu 24.04
To test Fail2ban, you can simulate a brute-force attack on your system, which involves intentionally triggering the conditions that Fail2ban monitors for, such as multiple failed login attempts.
First log in to another Linux machine, run the following command to simulate failed login attempts, make sure to replace 192.168.122.100 with your server’s IP address.
for i in {1..6}; do ssh invaliduser@192.168.122.100; donesudo tail -f /var/log/fail2ban.log
