Install and Configure Fail2Ban on Ubuntu 22.04

This guide will go through how to install and configure Fail2Ban on Ubuntu 22.04. Fail2ban is an intrusion prevention software framework. It was created to defend against brute-force attacks. It can operate on POSIX systems that have an interface to a locally installed packet-control system or firewall, like iptables or TCP Wrapper.

How to Install and configure Fail2Ban on Ubuntu 22.04

  • Update and upgrade your Ubuntu packages.
sudo apt update && sudo apt upgrade
  • Add SSH to your firewall using the following command.
sudo ufw allow ssh
  • Then activate the firewall on Ubuntu 22.04 using the command below.
sudo ufw enable
  • To check the firewall status use the command below.
sudo ufw status
  • Next, install Fail2ban.
sudo apt install fail2ban -y

Sample output

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-5.15.0-35 linux-headers-5.15.0-35-generic
  linux-image-5.15.0-35-generic linux-modules-5.15.0-35-generic
  linux-modules-extra-5.15.0-35-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  python3-pyinotify whois
Suggested packages:
  mailx monit sqlite3 python-pyinotify-doc
The following NEW packages will be installed:
  fail2ban python3-pyinotify whois
0 upgraded, 3 newly installed, 0 to remove and 9 not upgraded.
Need to get 473 kB of archives.
After this operation, 2,486 kB of additional disk space will be used.
Get:1 http://ke.archive.ubuntu.com/ubuntu jammy/universe amd64 fail2ban all 0.11.2-6 [394 kB]
Get:2 http://ke.archive.ubuntu.com/ubuntu jammy/main amd64 python3-pyinotify all 0.9.6-1.3 [24.8 kB]
Get:3 http://ke.archive.ubuntu.com/ubuntu jammy/main amd64 whois amd64 5.5.13 [53.4 kB]
Fetched 473 kB in 2s (248 kB/s)
Selecting previously unselected package fail2ban.
(Reading database ... 231165 files and directories currently instal
led.)
Preparing to unpack .../fail2ban_0.11.2-6_all.deb ...
Unpacking fail2ban (0.11.2-6) ...
Selecting previously unselected package python3-pyinotify.
Preparing to unpack .../python3-pyinotify_0.9.6-1.3_all.deb ...
Unpacking python3-pyinotify (0.9.6-1.3) ...
Selecting previously unselected package whois.
Preparing to unpack .../whois_5.5.13_amd64.deb ...
Unpacking whois (5.5.13) ...
Setting up whois (5.5.13) ...
Setting up fail2ban (0.11.2-6) ...
Setting up python3-pyinotify (0.9.6-1.3) ...
Processing triggers for man-db (2.10.2-1) ...
  • Start and enable Fail2ban.
sudo systemctl enable --now fail2ban
  • Check the Fail2ban status using the command below.
sudo systemctl status fail2ban

Sample output

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled>
     Active: active (running) since Wed 2022-10-26 10:27:44 EAT; 1>
       Docs: man:fail2ban(1)
   Main PID: 76428 (fail2ban-server)
      Tasks: 5 (limit: 4584)
     Memory: 12.2M
        CPU: 232ms
     CGroup: /system.slice/fail2ban.service
             └─76428 /usr/bin/python3 /usr/bin/fail2ban-server -xf>

Okt 26 10:27:44 itnixpro systemd[1]: Started Fail2Ban Service.
Okt 26 10:27:44 itnixpro fail2ban-server[76428]: Server ready

Configure Fail2Ban on Ubuntu 22.04

  • Let’s start by copying jail.conf to jail.local so as to have a backup.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Next, edit the copied config file.
sudo nano /etc/fail2ban/jail.local
  • Search for #ignoreip = 127.0.0.1/8 ::1 and uncomment it by removing the # symbol.
ignoreip = 127.0.0.1/8 ::1

Ban Time

  • Ban time is an IP blacklisted after a predetermined number of unsuccessful authentication attempts. The number defaults to 10 minutes with a 10-minute finder after five trials which means that if the attacker attempts the same attack five times in 10 minutes Fail2ban jail will activate filtering which will ban the attacker’s IP address for 10 minutes.
  • To extend the ban time simply change its value e.g. for 1 day
bantime  = 1d

Email Notifications

  • Receive email notification when a ban occurs by setting it up in /etc/fail2ban/jail.local config. Under actions set the destmail and sender email.
action = %(action_mw)s
destemail = [email protected]
sender = [email protected]
  • Next, restart Fail2ban to apply the new changes.
sudo systemctl restart fail2ban

Ban/Unban an IP

  • To ban an IP address manually, use the command below with IP you want to ban.
sudo fail2ban-client set sshd banip [IP address_TO_BE_Banned]
  • To Unban an IP address, run the command below to list all the IPs.
sudo fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'
  • Then unban your specific IP address using the following command.
sudo fail2ban-client set sshd unbanip [IP_ADDRESS_TO_UNBAN]
  • You have reached the end of our article on how to install and configure Fail2Ban on Ubuntu 22.04.

Read more on Fail2Ban Docs

Other Tutorials

Install Apache Tomcat on Fedora 36

Install Apache Tomcat on OpenSUSE

Install Rust on OpenSUSE

System administrator | Software Developer | DevOps

Leave a Comment