Linux administrators deploy different solutions to protect their systems from being comprised. Some of the solutions include security by obscurity, IDS (Intrusion detection system), and password policies. However, these solutions alone cannot protect their system from compromise. It is better to use an intrusion prevention system to prevent attacks and block the attacker before it actually breaks into your system.
Fail2ban is an easy and quick to deploy intrusion prevention tool that closely monitors your log files and bans suspicious IP addresses based on predefined number of unsuccessful login attempts. However, there is a limitation with Fail2ban that it only protects the services that require authentication. The services which do not require authentication cannot be banned by Fail2ban.
In this context, we shall look into how to install and configure Fail2ban on Ubuntu 20.04 LTS.
How to install Fail2ban on ubuntu ?
Fail2ban package is available in the Ubuntu default repositories. Therefore, we can simply install it using the apt.
First, update the package index using this command:
$ sudo apt-get update
When prompted, Enter sudo password.
Then use the below command for installingFail2ban:
$ sudo apt-get install fail2ban
Hit y if prompted for confirmation. After this, Fail2ban should be installed on your system.
How to configure Fail2ban ?
The configuration file of Fail2ban is located at /etc/fail2ban/jail.conf. However, it is suggested to not edit this file directly. Instead, to edit the configuration file, copy the jail.conf file to jail.local file. Use the below command to do so:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now to do configurations, edit the jail.local file as follows:
$ sudo nano /etc/fail2ban/jail.local
For configuring Fail2ban, the first step you require to do is to add the IP address that you never want to ban. By default, it is setup to not block any traffic originating from the local system.
To add more systems to the whitelist (IPs that should never be blocked), search for this entry:
ignoreip = 127.0.0.1/8
Then add other IP addresses separated by space.
After that, save the file and exit.
How to Protect SSH with Fail2ban ?
Fail2ban comes with a number of jails preconfigured for different services. Under the default section, there are separate sections for each of the services. These separate sections can be used to override the default settings. Each service is identified by the section headers like [squid]. We can also create separate local jails for each service in the /etc/fail2ban/jail.d directory.
Here, we are going to protect SSH by configuring a jail for failed login attempts.
Create a jail for SSH using this command:
$ sudo nano /etc/fail2ban/jail.d/sshd.local
Add below lines in the sshd.local file:
enabled = true
maxretry = 2
bantime = 1m
After making the necessary changes, save the file and exit.
The description of bantime and maxretry parameters used in the above lines is as follows:
When a client fails to authenticate successfully, the bantime option specifies how long they will be banned.
The maximum number of authentication tries before a host IP trying to connect is blocked.
Now you will need to restart the Fail2ban service using the below command:
$ sudo systemctl restart fail2ban
How to Test Fail2ban ?
Now to verify if Fail2ban is working, we will make 2 wrong authentication attempts (by entering the wrong password). After the 2 attempts, the SSH connection will hang. To close the current SSH connection, press Ctrl+c. Now if we try to reconnect to the SSH server, it will not connect as Fail2ban has blocked it.
We can also verify this by checking the logs in the /var/log/fail2ban.log file:
$ sudo tail -f /var/log/fail2ban.log
From the logs, you can see Fail2ban has banned the IP address which tried two wrong authentication attempts. If you notice the time, it also unbanned the IP address after 1 minute.
You can also manually unban the IP address using the below command:
$ sudo fail2ban-client set sshd unbanip IP_ADDRESS