Installing and Using Fail2Ban for SSH Protection

Fail2Ban is a useful security tool designed to protect your server from brute-force attacks. It works by monitoring log files for repeated failed login attempts and automatically banning the IP addresses of attackers. In this guide, we will show you how to install and configure Fail2Ban to protect your SSH service on Ubuntu.

← Back

Step 1: Install Fail2Ban

Fail2Ban is available in the default Ubuntu repositories. You can install it by running the following command:

sudo apt update

Now, install Fail2Ban with the following command:

sudo apt install fail2ban

Once the installation is complete, Fail2Ban will start automatically. You can verify its status by running:

sudo systemctl status fail2ban

Step 2: Configure Fail2Ban for SSH Protection

The main configuration file for Fail2Ban is located at /etc/fail2ban/jail.conf, but it’s recommended to create a local override file to make custom changes without modifying the default configuration. To do this, create a copy of the configuration file as follows:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, open the new jail.local file in a text editor:

sudo nano /etc/fail2ban/jail.local

Search for the section related to SSH configuration. You should see a block like this:


        [sshd] 

        enabled = false 

        port = ssh 

        logpath = /var/log/auth.log 

        maxretry = 3

Set enabled to true to enable Fail2Ban for SSH:


        enabled = true

This will allow Fail2Ban to monitor SSH login attempts. You can also adjust the maxretry setting to specify how many failed login attempts are allowed before an IP address is banned. For example, setting maxretry = 5 will allow 5 failed attempts before banning the IP.

Step 3: Restart Fail2Ban Service

After making your changes, save and exit the text editor. Then, restart the Fail2Ban service to apply the new configuration:

sudo systemctl restart fail2ban

Step 4: Check Fail2Ban Status

To check the status of Fail2Ban and ensure it is protecting SSH, you can run the following command:

sudo fail2ban-client status sshd

If everything is configured correctly, you should see a message that indicates the status of SSH protection, such as the number of currently banned IPs.

Step 5: Viewing the Ban List

To view the list of IP addresses that have been banned by Fail2Ban, use the following command:

sudo fail2ban-client status

This command will show all the jails that Fail2Ban is monitoring, and you can also get detailed information about the bans for each jail, including SSH.

Step 6: Unbanning an IP Address

If you need to unban an IP address, use the following command:

sudo fail2ban-client set sshd unbanip IP_ADDRESS

Replace IP_ADDRESS with the actual IP address you wish to unban.

Conclusion

Fail2Ban is a powerful tool that can greatly enhance the security of your server by preventing brute-force SSH login attempts. By following these steps, you’ve successfully installed and configured Fail2Ban for SSH protection. Remember to monitor the Fail2Ban logs periodically and adjust your configurations as needed to stay ahead of potential threats.

← Back