Securing an Ubuntu 14.04 Server with Fail2Ban

Securing an Ubuntu 14.04 Server with Fail2Ban

When it comes to securing a server from malicious bruteforcers, Fail2Ban is an extremely powerful tool and my goto application on every server I setup. While that position was once held by denyhosts, as of Ubuntu 14.04, denyhosts is no longer in the official ubuntu repo and so is recommend that it no longer be used… Before we get into how to configure Fail2Ban, lets take a look at how it works….

Fail2Ban works by constantly scanning your log files and takes predetermined actions based on what is set in its configuration file. For example, we can set Fail2Ban to ban the IP Address of anyone who tries and fails to login 3 or more times. To do this, every few seconds, Fail2Ban will scan the server’s access log and keep and record of every failed attempt. When the limit of 3 is reached, it will immedieately set a rule in the built in iptables firewall for said ip address, effectively rejecting it from all further communication with the server.

Step 1 – Installing Fail2Ban

To install fail2ban we need to run 3 commands, the first to update our apt-cache, the second to upgrade any old packages in our system and the third to install Fail2Ban itself

apt-get update
apt-get upgrade
apt-get install fail2ban

Now that it is installed let us make a copy of the configuration file (so that the original can serve as a template in the future) and open it in our editor of preference

Step 2 – Configure Fail2Ban

cd /etc/fail2ban/
cp jail.conf jail.local && nano jail.local

By default fail2ban comes preconfigured with a great set of options so we will only be making a few changes. I also highly recommend you read though the config file to see what fail2ban is capable of in case you wish to tweak it more in the future.

Find and change in the open config file to match the following

# add your ip to exceptions list so you dont accidentally lock youself out
ignoreip = 127.0.0.1/8 192.168.1.2
#increase bantimee to an hour
bantime = 3600
.....
[ssh]
enabled = true
port = 4444 ; If you are using a custom ssh port, change this to your chosen port
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

Remember, ctrl + x to close file, and Y to save

Step 3 – Apply Changes

We finish up by restartting the fail2ban service so that our changes come into effect

service fail2ban restart

Final Notes: fail2ban consists of alot more features such as sending an email whenever an ip is banned or using custom iptable templates but those (once again, in my opinion) are not necessary as the preset config is, for the average server, near perfect.

Now that your server is secure let us move on to Setting up a LAMP Server or a LEMP Server on Ubuntu/Debian.

This Post Has One Comment

  1. Nice, direct and simple ty.

Leave a Reply

Close Menu
%d bloggers like this: