Brute-Force Protection with Fail2Ban on Ubuntu

In this tutorial, we'll discuss brute-force protection with Fail2Ban on Ubuntu 24.04 server.

One of the most effective tools for protecting our servers from brute-force attacks is Fail2Ban. This tool helps safeguard our systems by monitoring log files for failed login attempts and automatically banning IP addresses that exceed the allowed number of attempts. In this guide, we will walk through the process of installing and configuring Fail2Ban on an Ubuntu 24.04 server to ensure robust protection against brute-force attacks.

What is Fail2Ban?

Fail2Ban is a security software that helps prevent unauthorized access to our systems. It does this by scanning log files for signs of malicious activity and blocking IP addresses that exhibit suspicious behavior. For example, if an attacker attempts to guess passwords by repeatedly trying to log in, Fail2Ban can automatically block that IP for a predefined period, thereby mitigating the risk of brute-force attacks.

Prerequisites

Before proceeding, make sure you have the following in place:

• A Fresh Ubuntu 24.04 dedicated server or KVM VPS.
• Root or Sudo Privileges
• Basic Linux commands knowledge.

Brute-Force Protection with Fail2Ban on Ubuntu

Step 1: Update Our Server

Before we install Fail2Ban, it's essential to ensure that our server’s package list is up to date. Open a terminal and run the following commands:

sudo apt update
sudo apt upgrade -y

This will update the list of available packages and install any available updates. This step is crucial to ensure our system is secure before adding new software.

Step 2: Install Fail2Ban

Fail2Ban is available in the default Ubuntu repositories, making it easy to install. To install Fail2Ban, run the following command:

sudo apt install fail2ban -y

This will download and install Fail2Ban and its dependencies. Once the installation is complete, Fail2Ban will be automatically enabled, but it will not be fully configured yet.

Step 3: Configure Fail2Ban

Fail2Ban comes with a default configuration file, but it's highly recommended to create a local configuration file that overrides the default settings. This ensures that our changes are preserved during updates.

To begin the configuration, create a copy of the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

We now have a jail.local file where we can make our custom configurations without affecting the default file.

Configure Basic Settings

Open the jail.local file in a text editor:

sudo nano /etc/fail2ban/jail.local

Look for the [DEFAULT] section, which contains the basic settings for Fail2Ban. Here, we will adjust the settings to our needs. Key configurations to consider include:

ignoreip: This option specifies which IP addresses should be ignored by Fail2Ban. For example, if we want to whitelist our server's IP or our own IP address, we can list it here:

ignoreip = 127.0.0.1/8 ::1

bantime: The duration (in seconds) that an IP address will remain banned after exceeding the allowed number of failed login attempts. For example, to ban an IP for one hour, we set:

bantime = 3600

findtime: This is the time window (in seconds) during which the failed login attempts are counted. For example, if we want to count failed login attempts within a 10-minute window, we set:

findtime = 600

maxretry: This defines how many failed login attempts are allowed before an IP address is banned. We recommend setting this to a value like 3 or 5 to prevent excessive failed attempts:

maxretry = 3

Save and close the file by pressing CTRL + X, followed by Y, and then Enter.

Configure SSH Protection

Fail2Ban can monitor various services, including SSH. If we are running an SSH server, we can configure Fail2Ban to monitor SSH login attempts.

Scroll down to the [sshd] section in the jail.local file and ensure that it's enabled. It should look like this:

[sshd]
enabled = true
port    = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This configuration will protect SSH from brute-force attacks by banning IPs after 3 failed attempts within a 10-minute window.

Protecting Other Services

Fail2Ban can also be used to protect other services like Apache, Nginx, and more. Simply enable the relevant jail by setting enabled = true under the corresponding section in the jail.local file. For example, to protect an Apache web server:

[apache]
enabled = true
logpath = /var/log/apache2/*.log
maxretry = 3
bantime = 3600
findtime = 600

After enabling the necessary jails, we can further customize the configurations for each service as needed.

Step 4: Start and Enable Fail2Ban

Once we have configured Fail2Ban, it's time to start and enable it. Run the following command to start the Fail2Ban service:

sudo systemctl start fail2ban

To ensure Fail2Ban starts automatically on system boot, use the following command:

sudo systemctl enable fail2ban

Step 5: Monitor Fail2Ban Logs

Fail2Ban logs all activities, including banned IPs and unbanned IPs, to the log file located at /var/log/fail2ban.log. To view the log entries, use the following command:

sudo tail -f /var/log/fail2ban.log

This will display the real-time logs of Fail2Ban activity.

Step 6: Unban an IP Address

If we need to unban an IP address manually, we can use the following command:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Replace <IP_ADDRESS> with the IP address we want to unban.

1. Creating Custom Jails for Additional Services

While Fail2Ban comes with pre-configured jails for popular services such as SSH, Apache, and Nginx, there are scenarios where we need to protect custom services or applications that are not included by default. A custom jail is simply a set of rules for monitoring a specific service's logs.

Steps to create a custom jail:

Create a new jail in the jail.local file:

To create a custom jail, we need to specify the service we want to protect and define the configuration for it. Let’s say we want to create a jail for a custom application that logs to /var/log/myapp.log.

Here’s an example of a custom jail configuration:

[myapp]
enabled = true
port = 1234
filter = myapp
logpath = /var/log/myapp.log
maxretry = 3
bantime = 3600
findtime = 600

Create a custom filter:

Fail2Ban uses regular expressions to match specific patterns in the logs. We can define a custom filter to match failed login attempts or other types of malicious activity. For example, create a file named myapp.conf in /etc/fail2ban/filter.d/ with the following content:

[Definition]
failregex = Failed login attempt from <HOST>
ignoreregex =

This filter will match the string “Failed login attempt from” and will capture the IP address of the attacker (denoted by <HOST>).

After configuring the custom jail and filter, restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

2. Fail2Ban with Firewall Integration

While Fail2Ban can automatically block IPs, we can further enhance security by integrating it with a firewall like ufw (Uncomplicated Firewall) or iptables. Fail2Ban can dynamically update firewall rules to block malicious IP addresses as soon as they are banned.

Integration with ufw:

By default, Fail2Ban uses iptables to block IP addresses. If we are using ufw on our server, we can configure Fail2Ban to automatically integrate with ufw by adding the following lines to the jail.local file under the [DEFAULT] section:

banaction = ufw
banaction_allports = ufw

This configuration tells Fail2Ban to use ufw for banning IP addresses instead of iptables.

Integration with iptables:

Fail2Ban also integrates seamlessly with iptables. If you prefer to use iptables directly, ensure that the following line exists in the jail.local file:

banaction = iptables-multiport

This configuration uses iptables with the multiport action, which allows Fail2Ban to block multiple ports at once. We can also specify which ports to monitor in the [sshd] section of the jail.local file.

3. Fail2Ban Email Notifications

Fail2Ban can be configured to send email notifications when an IP address is banned. This can be helpful for administrators to monitor failed login attempts and take further actions if necessary.

Steps to configure email notifications:

• Install and configure mail utility:
• On Ubuntu, we can install the mail utility to send emails from the command line. To install it, run:

sudo apt install mailutils

Configure Fail2Ban to send email notifications:

In the jail.local file, under the [DEFAULT] section, we need to set the action directive to send an email. Example configuration:

action = %(action_mwl)s

The action_mwl refers to an action that includes an email notification, whois report of the banned IP, and logs. Ensure the following configurations are also set:

• destemail: The email address where notifications will be sent.
• sendername: The name of the sender.
• mta: The mail transfer agent (e.g., sendmail).

Here’s an example of the email settings in the jail.local file:

destemail = admin@example.com
sendername = Fail2Ban
mta = sendmail

After these changes, restart Fail2Ban:

sudo systemctl restart fail2ban

4. Advanced Filtering with Regular Expressions

Fail2Ban’s core functionality revolves around log file parsing using regular expressions (regex). While default filters work for most cases, we can create advanced filters using custom regex to capture very specific log patterns.

Example of custom regex:

For example, suppose we want to block IP addresses that attempt to exploit a specific vulnerability in a web application, which logs attempts in the format:

[ERROR] Attempted SQL injection from <HOST>

We can create a custom filter file for this:

Create a new filter in /etc/fail2ban/filter.d/ named sql_injection.conf with the following content:

[Definition]
failregex = [ERROR] Attempted SQL injection from <HOST>
ignoreregex =

Add the following jail configuration in jail.local:

[sql_injection]
enabled = true
filter = sql_injection
logpath = /var/log/myapp.log
maxretry = 5
bantime = 86400
findtime = 600

This configuration will capture attempts to perform SQL injection and block the IP addresses attempting it.

5. Customizing Fail2Ban Actions

Fail2Ban allows us to configure different actions that can be taken when an IP address is banned. By default, it blocks the IP address using a firewall, but we can define custom actions to execute on banning or unbanning an IP.

Example of a custom action:

We can configure Fail2Ban to run a custom script when banning an IP. For example, create a script to log additional information about the banned IP:

Create a new script file /etc/fail2ban/action.d/ban_ip_log.sh:

#!/bin/bash
echo "Banned IP: $1" >> /var/log/fail2ban_ban_log.log

Make the script executable:

sudo chmod +x /etc/fail2ban/action.d/ban_ip_log.sh

In the jail.local file, modify the action directive to use the custom script:

action = %(action_mwl)s[logpath=/var/log/fail2ban_ban_log.log]

6. Fail2Ban and Docker

If you're running a server with Docker containers, Fail2Ban can be integrated with Docker to protect services running inside containers. By default, Docker uses its own network bridge, so we need to ensure that Fail2Ban can still access the logs and block IPs.

Docker-specific considerations:

• Mount the container logs to the host system to allow Fail2Ban to monitor them.
• Use the DOCKER jails for services running in Docker containers (e.g., Dockerized SSH or web services).

Conclusion

In this tutorial, we've discussed brute-force protection with Fail2Ban on Ubuntu 24.04 server. By following these steps, we have successfully installed and configured Fail2Ban on our Ubuntu 24.04 server to provide robust protection against brute-force attacks. This essential security tool helps safeguard our server and critical services by automatically banning malicious IP addresses. 

Regularly monitoring Fail2Ban’s logs and adjusting configurations as needed ensures that our server remains protected against evolving threats. With this setup, we can rest assured knowing that our server is actively defended against brute-force attacks, enhancing the overall security of our web hosting environment.