Fail2ban is a tool that monitors login activity on your server and helps protect your Linux machine from brute-force and other automated attacks. By default, it will block IP addresses for 10 minutes before removing them and it has filters to monitor Apache, SSH, and other programs for suspicious activity.
This guide will describe the installation and basic configuration in Ubuntu systems.
Run the below command to ensure that the server is up to date.
# apt update && apt upgrade
To install fail2ban, run the below command.
# apt-get install fail2ban
Once the installation is completed, verify and check the status from the below command.
# systemctl status fail2ban
The default configuration file is /etc/fail2ban/jail.conf and the easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. So make a copy with the below command to avoid possible conflict.
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Once the copy was taken, then start to edit the file by using the below command.
# vi /etc/fail2ban/jail.local
ignoreip can be a list of IP addresses, CIDR masks, or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using a space (and/or comma) separator.
The values of the bantime, findtime, and maxretry options shown in the below image are defined the ban time and ban conditions.
bantime is the number of seconds that a host is banned.
- findtime A host is banned if it has generated "maxretry" during the last "findtime".
maxretry is the number of failures before a host gets banned.
From the destemail and sender options, you can adjust the sending and receiving email addresses.
Once you have made any changes in the configuration file, then restart the Fail2ban service with the below command.
# service fail2ban restart
