This guide will go through how to install and configure Fail2Ban on Ubuntu 22.04. Fail2ban is an intrusion prevention software framework. It was created to defend against brute-force attacks. It can operate on POSIX systems that have an interface to a locally installed packet-control system or firewall, like iptables or TCP Wrapper.
How to Install and configure Fail2Ban on Ubuntu 22.04
- Update and upgrade your Ubuntu packages.
sudo apt update && sudo apt upgrade
- Add SSH to your firewall using the following command.
sudo ufw allow ssh
- Then activate the firewall on Ubuntu 22.04 using the command below.
sudo ufw enable
- To check the firewall status use the command below.
sudo ufw status
- Next, install Fail2ban.
sudo apt install fail2ban -y
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-5.15.0-35 linux-headers-5.15.0-35-generic linux-image-5.15.0-35-generic linux-modules-5.15.0-35-generic linux-modules-extra-5.15.0-35-generic Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: python3-pyinotify whois Suggested packages: mailx monit sqlite3 python-pyinotify-doc The following NEW packages will be installed: fail2ban python3-pyinotify whois 0 upgraded, 3 newly installed, 0 to remove and 9 not upgraded. Need to get 473 kB of archives. After this operation, 2,486 kB of additional disk space will be used. Get:1 http://ke.archive.ubuntu.com/ubuntu jammy/universe amd64 fail2ban all 0.11.2-6 [394 kB] Get:2 http://ke.archive.ubuntu.com/ubuntu jammy/main amd64 python3-pyinotify all 0.9.6-1.3 [24.8 kB] Get:3 http://ke.archive.ubuntu.com/ubuntu jammy/main amd64 whois amd64 5.5.13 [53.4 kB] Fetched 473 kB in 2s (248 kB/s) Selecting previously unselected package fail2ban. (Reading database ... 231165 files and directories currently instal led.) Preparing to unpack .../fail2ban_0.11.2-6_all.deb ... Unpacking fail2ban (0.11.2-6) ... Selecting previously unselected package python3-pyinotify. Preparing to unpack .../python3-pyinotify_0.9.6-1.3_all.deb ... Unpacking python3-pyinotify (0.9.6-1.3) ... Selecting previously unselected package whois. Preparing to unpack .../whois_5.5.13_amd64.deb ... Unpacking whois (5.5.13) ... Setting up whois (5.5.13) ... Setting up fail2ban (0.11.2-6) ... Setting up python3-pyinotify (0.9.6-1.3) ... Processing triggers for man-db (2.10.2-1) ...
- Start and enable Fail2ban.
sudo systemctl enable --now fail2ban
- Check the Fail2ban status using the command below.
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled> Active: active (running) since Wed 2022-10-26 10:27:44 EAT; 1> Docs: man:fail2ban(1) Main PID: 76428 (fail2ban-server) Tasks: 5 (limit: 4584) Memory: 12.2M CPU: 232ms CGroup: /system.slice/fail2ban.service └─76428 /usr/bin/python3 /usr/bin/fail2ban-server -xf> Okt 26 10:27:44 itnixpro systemd: Started Fail2Ban Service. Okt 26 10:27:44 itnixpro fail2ban-server: Server ready
Configure Fail2Ban on Ubuntu 22.04
- Let’s start by copying
jail.localso as to have a backup.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Next, edit the copied config file.
sudo nano /etc/fail2ban/jail.local
- Search for
#ignoreip = 127.0.0.1/8 ::1and uncomment it by removing the
ignoreip = 127.0.0.1/8 ::1
- Ban time is an IP blacklisted after a predetermined number of unsuccessful authentication attempts. The number defaults to 10 minutes with a 10-minute finder after five trials which means that if the attacker attempts the same attack five times in 10 minutes Fail2ban jail will activate filtering which will ban the attacker’s IP address for 10 minutes.
- To extend the ban time simply change its value e.g. for 1 day
bantime = 1d
- Receive email notification when a ban occurs by setting it up in
/etc/fail2ban/jail.localconfig. Under actions set the
action = %(action_mw)s destemail = [email protected] sender = [email protected]
- Next, restart Fail2ban to apply the new changes.
sudo systemctl restart fail2ban
Ban/Unban an IP
- To ban an IP address manually, use the command below with IP you want to ban.
sudo fail2ban-client set sshd banip [IP address_TO_BE_Banned]
- To Unban an IP address, run the command below to list all the IPs.
sudo fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'
- Then unban your specific IP address using the following command.
sudo fail2ban-client set sshd unbanip [IP_ADDRESS_TO_UNBAN]
- You have reached the end of our article on how to install and configure Fail2Ban on Ubuntu 22.04.
Read more on Fail2Ban Docs