Fail2ban is a tool that monitors login activity on your server and helps protect your Linux machine from brute-force and other automated attacks. By default, it will block IP addresses for 10 minutes before removing them and it has filters to monitor Apache, SSH, and other programs for suspicious activity.
This guide will describe the installation and basic configuration in Ubuntu systems.
Run the below command ensure that the server is up to date.
# apt update && apt upgrade
To install fail2ban, run the below command.
# apt-get install fail2ban
Once the installation completed, verify and check the status from the below command.
# systemctl status fail2ban
The default configuration file is /etc/fail2ban/jail.conf and the easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. So make a copy with the below command to avoid possible conflict.
Once the copy taken, then start to edit the file by using the below command.
# vi /etc/fail2ban/jail.local
ignoreip can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator.
The values of the bantime, findtime, and maxretry options those shown in the below image are define the ban time and ban conditions.
bantime is the number of seconds that a host is banned.
findtime A host is banned if it has generated "maxretry" during the last "findtime".
maxretry is the number of failures before a host get banned.
From the destemail and sender options, you can adjust the sending and receiving email addresses.
Once you have made any changes in configuration file, then restart Fail2ban service with the below command.