Fail2Ban: Protect Your Linux System from Brute-Force Attacks – Open-Source Security Tool
Fail2Ban is an intrusion prevention software framework, written in the Python programming language. It is an open-source security tool for Linux systems that help protect against brute-force attacks and other malicious activities. Fail2ban monitors log files for patterns of suspicious behavior, such as repeated failed login attempts, and blocks the offending IP addresses by modifying firewall rules. It uses a system of “jails” to define the services to monitor and the actions to take when threats are detected.
Fail2Ban’s key features include:
Brute-force protection for services like SSH, FTP, and web servers.
Automatic IP blocking based on configurable thresholds.
Support for various firewall backends (e.g., iptables, firewalld).
Email alerts for blocked IPs.
Customizable filters and actions for different services.
Fail2Ban is widely used for securing servers by preventing unauthorized access attempts and enhancing overall system security.
How Does Fail2ban Work?
Fail2Ban blocks IP addresses that make an excessive number of failed logins attempts by scanning log files such as /var/log/auth.log. It accomplishes this by changing the firewall rules on the system to prevent new connections from certain IP addresses for a predetermined period of time. Fail2Ban is pre-configured to read a wide variety of standard log files, including those for Apache and SSH. It can be readily set up to read any log file for any problem you choose.
Fail2Ban can lower the frequency of unsuccessful login attempts, but it is unable to completely remove the risk associated with inadequate authentication. This risk can be avoided by configuring to exclusively utilize public/private authentication methods or two-factor authentication.
How to install Fail2Ban on Ubuntu 22.04?
To install Fail2Ban on an Ubuntu 22.04 system, follow these steps
1. Update package lists on your system by the following command:
$ sudo apt update
2. Install Fail2Ban by using the following command:
$ sudo apt install fail2ban
3. Start and enable Fail2Ban to automatically start on boot:
The output above indicates that Fail2Ban is active and running.
5, Configure Fail2Ban (Optional)
By default, Fail2Ban comes with a basic configuration that should work out of the box for common services like SSH. However, you can customize Fail2Ban settings in the configuration files: Global settings are defined in /etc/fail2ban/jail.conf.
For custom configurations, it’s recommended to use/etc/fail2ban/jail.local, which overrides the default settings.
To edit the configuration, use a text editor like nano: $ sudo nano /etc/fail2ban/jail.local
For example, you can configure SSH to have stricter settings (e.g., banning IPs after 3 failed attempts) as below:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600 (#Ban for 1 hour measured in seconds)
6. Restart Fail2Ban to apply the changes:
After modifying the configuration, restart Fail2Ban to apply the changes:
$ sudo systemctl restart fail2ban
7. Check Fail2Ban status:
To check the status of Fail2Ban and see which jails are active, use this command:
$ sudo fail2ban-client status
To see the status of a specific jail (e.g., SSH), use this command:
$ sudo fail2ban-client status ssh
Finally, your Fail2ban installation is successful and configured Fail2Ban on your Ubuntu system. It will monitor for malicious activities like failed login attempts and block IP addresses accordingly.
$ grep “fail2ban” /var/log/messages (to view all actions made by Fail2ban)
$ sudo ufw deny from (to ban manually an IP address)
How to test Fail2Ban?
To test Fail2ban on failed SSH logins, do the following steps:
1. On the remote machine, open your command line interface and try to ssh to the server IP address:
ssh 192.168.17.133
You should be asked to enter a password. Enter the wrong password repeatedly. Once you have reached the failed login limit, you should be blocked for 600 seconds.
root@192.168.17.133’s password:
Permission denied, please try again.
root@192.168.17.133’s password:
Permission denied, please try again.
root@192.168.17.133’s password:
Permission denied, please try again.
root@192.168.17.133’s password:
ssh: connect to host 192.168.17.133 port 22: Connection refused
2. On the Fail2Ban server machine, check the banning status of Fail2Ban with the following command:
$ sudo fail2ban-client status ssh
You should see that your remote host IP address being blocked by Fail2Ban:
You should see that your remote host IP address being blocked by Fail2Ban:
Status for the jail: ssh |- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 1
| - Total failed: 4 – action
|- Currently banned: 1
| - IP list: 192.168.17.133 – Total banned: 1
If you want to unban the IP address of the remote host before the banning time limit expires, then run the following command on the server machine:
$ sudo fail2ban-client set ssh unbanip 192.168.17.133
$ sudo fail2ban-client set apache unbanip 192.168.17.133
How to protect your MySQL with Fail2Ban?
To use Fail2Ban to safeguard your MySQL server, you must first set it up to scan MySQL logs for unsuccessful login attempts and then to block IP addresses that are above a certain failure threshold. Do the following steps:
1. Make sure your server has Fail2Ban installed. Next, set up a new MySQL filter and jail setup:
Make a filter in MySQL: Make a file called mysql.conf in the /etc/fail2ban/filter.d/ directory and include the following information:
$ failregex = Access denied for user ‘.*’@”
2. Configure the jail: Open or create a file in the /etc/fail2ban/jail.d/ directory, for example, mysql.local, and add:
3. Restart Fail2Ban: After making these changes, restart Fail2Ban using sudo systemctl restart fail2ban command.
Note: Don’t forget to verify the location of your MySQL log file and make any necessary settings adjustments. To make sure everything functions as it should, always verify the settings again
How to ban Fail2Ban?
To disable or ban the fail2ban service, follow these steps to prevent it from running on your system and protect against brute
To stop Fail2Ban (temporarily), do the following steps:
1. Stop the Fail2Ban service: Run the following command to stop the Fail2Ban service:
$ sudo systemctl stop fail2ban
2. Check the status (optional), to confirm it has stopped, use the command below:
$ sudo systemctl status fail2ban
To disable Fail2Ban (permanently), do the following steps:
1. Disable Fail2Ban to prevent it from starting on boot: If you want to make sure Fail2Ban does not start automatically when the system boots up, you can disable it using:
$ sudo systemctl disable fail2ban
2. Check if it’s disabled (optional) using the following command:
$ sudo systemctl is-enabled fail2ban
This should return disabled.
How to completely remove Fail2Ban:
If you want to uninstall fail2ban entirely from your system, follow these steps:
1. Uninstall Fail2Ban: On a Debian/Ubuntu-based system, use this command:
$ sudo apt-get remove –purge fail2ban
2. On a RedHat/CentOS-based system, use this command:
$ sudo yum remove fail2ban
3. Or on a more recent version of RedHat-based systems with dnf:
$ sudo dnf remove fail2ban
4. Clean up any remaining configuration files (optional): If you’d like to completely clean up and remove all leftover configuration files after uninstallation, run the following command
$ sudo apt-get autoremove –purge, Or use this:
$ sudo yum autoremove
How to create a jail in Fail2Ban?
The steps to create a jail in Fail2Ban:
1. Navigate to the Jail Directory using the following command:
$ cd /etc/fail2ban/jail.d/
2. Create a new jail configuration file: For example, for SSH, create sshd.local:
$ sudo nano sshd.local
3. Add the jail configuration: Example for SSH:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
findtime = 600
4. Restart Fail2Ban: Apply changes by restarting the service with the following command:
$ sudo systemctl restart fail2ban
5. Check jail status: Verify the jail is active by using the following command:
$ sudo fail2ban-client status sshd
Why You Need to Use Fail2Ban
In conclusion, Fail2Ban is an essential and powerful tool for securing servers and mitigating brute-force attacks. By actively monitoring log files and automatically blocking IPs that exhibit malicious behavior, it significantly enhances the security posture of your system. Whether you’re protecting SSH, HTTP, or other services, Fail2Ban provides an easy-to-configure and customizable defense layer against a variety of attacks. Its lightweight nature and the ability to integrate with other security mechanisms make it an asset for both small-scale systems and enterprise environments. With proactive monitoring and real-time response capabilities, Fail2Ban is a must-have for anyone seeking to bolster their system’s resilience against unauthorized access.
References:
GitHub – fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors (https://github.com/fail2ban/fail2ban)
How to Protect SSH with Fail2Ban on Ubuntu 20.04 | DigitalOcean (https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04)
How to Check Fail2banLogs? (https://linuxhint.com/how-to-check-fail2banlogs/)
How to Protect SSH with Fail2Ban on Ubuntu [Guide] | Rapid7 | Rapid7 Blog (https://www.rapid7.com/blog/post/2017/02/13/how-to-protect-ssh-and-apache-using-fail2ban-on-ubuntu-linux/#:~:text=Test%20Fail2Ban%20for%20Apache%20Failed,web%20server%20for%20600%20seconds)
How To Protect SSH with Fail2Ban on Ubuntu 20.04 | DigitalOcean (https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04#conclusion)
How Fail2Ban Works to Protect Services on a Linux Server | DigitalOcean (https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server)