Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Protect SSH with Fail2ban on Ubuntu 18.04

Table Of Contents


    ## Table of Contents
    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [Installation of Fail2ban on Ubuntu](#installation-of-fail2ban-on-ubuntu
    – [Understanding the Fail2ban Configuration File](#understanding-the-fail2ban-configuration-file
    – [Configuration of Fail2ban](#configuration-of-fail2ban
    – [Creation of Jail Settings](#creation-of-jail-settings
    – [Conclusion](#conclusion

    ## Introduction

    [Fail2ban](https://en.wikipedia.org/wiki/Fail2ban is a utility that monitors the system logs for symptoms of an automated attack on the server. This tool blocks the IP addresses that lead to many password failures. Most important is that if we are running on the ubuntu 18.04 VPS, Fail2ban should give the server an edge that will help in fights of hackers automatically. Fail2ban can also help and add a new rule to iptables to block the IP address of the attacker which may be for a certain amount of time or permanently. Fail2ban can also alert through a mail about the occurrence of threat.

    ## Prerequisites

    A VPS web host. You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/guides/how-to-do-initial-server-setup-with-ubuntu-18.04. Shell access will be on the Linux server.

    ## Installation of Fail2ban on Ubuntu

    The primary step that needs to be done should be on the latest package list from the Ubuntu repository. Update the local package index so we can apt to download and install the package:

    “`
    $ sudo apt-get update
    “`

    “`
    $ sudo apt-get install fail2ban
    “`

    Press Y and hit enter when prompted to confirm the installation.

    ## Understanding the Fail2ban Configuration File

    Fail2ban has the default filtering rules but anyone can create their configuration file to customize different security settings depends on needs. The default configuration file (‘/etc/fail2ban/jail.conf’ can never be edited because it can be improved or can be overwritten in a distribution update.

    The default behavior of fail2ban is to read ‘.conf’ first followed by ‘.local’ files.
    Which means they should create their own ‘.local’ files if anyone wants their customization settings. If multiple files are needed to handle the security of each service separately and ‘.local’ files under ‘/etc/fail2ban/jail.d’ in one directory.

    ## Configuration of Fail2ban

    Fail2ban .conf contains the default configuration profile.default settings will give reasonable working setup if the changes are to be made its best to separate file from the other suppose for example ‘fail2ban .local’, which will override ‘fail2ban .conf’. So rename that ‘fail2ban .conf’ to ‘fail2ban .local’.

    “`
    cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
    “`

    From here we can edit the definitions :

    ## Loglevel
    The level of detail that fail2ban logs provide can be set to 1(error, 2(warn, 3(info or 4(debug

    ## Logtarget
    Logs action into a specific file and default value of /var/log/fail2ban log puts logging into the file.

    ## Creation of Jail Settings

    Here, we create a default configuration file from scratch, we will copy the default configuration file and then edit the settings that we will override.

    “`
    $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    “`

    To edit the new configuration file, open nano editor;

    “`
    $ sudo nano /etc/fail2ban/jail.local
    “`

    Edit the settings under [DEFAULT] entry:

    “`
    [DEFAULT]
    ….
    $ bantime =10m
    $ findtime =10m
    $ maxretry =5
    ….
    “`

    The settings above applied for every service that does not have the entries overridden in services.
    ## Bantime
    Represents that the time that a host is banned before it can allow services to try the service again.
    ## Findtime
    The maximum amount of time that a host should wait before the ban of a host if it has generated the maximum retries for a service.
    ## Maxtry
    Represents the total number of failures that a host should generate before any server is banning it.

    The default settings indicate that the host will be blocked for 10 minutes if it generates more than 5 failed attempts within 10 minutes.
    The changes can be modified according to the needs that are needed.

    Once you are done with the editing file. Press the keys CTRL+X, Y, and enter to save the file.

    Below it gives the bantime, findtime, maxtry in the default settings briefly. In the default settings;

    ![bantime](https://grid.media/assets/images/bantime-maxretry.png

    ## Putting All Together:

    ## Installation of the Server:

    “`
    sudo apt-get install -y openssh-server
    “`

    ## Sendmail Configurations:

    To receive the email when the fail2ban is triggered adjust the settings. So the email has the following;

    ## Destemail
    The email address would reach finally.
    ## Sendername
    Name under which email is shown.
    ## Sender
    The email address where the sender sends the emails.

    “`
    $ sudo apt-get install fail2ban sendmail
    “`

    ## Sshd Configuration:

    The command can be written as;

    “`
    $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    “`

    As we have already discussed it above.

    “`
    $ sudo vim /etc/fail2ban/jail.local
    “`

    ![fail2ban](https://grid.media/assets/images/Fail2ban-configuration-blocks.png

    Above we can see the sensible Fail2ban configuration blocks and their values. Here, We can see destmail, sender and a sender name in the default settings.

    The fail2ban configuration blocks and values are here. the host is banned if it generated ‘maxtry’ during its ‘findtime’.
    The local file is copied over here.

    ## UFW

    UFW is the popular and conventional firewall configuration tool that is originally from the Ubuntu distributions. The commands are commented based on the firewall rules that are ‘comment ssh’.

    Install ufw

    “`
    $ sudo ufw allow OpenSSH
    “`
    For the enable the ufw;

    “`
    $ sudo ufw enable
    “`
    For the disable the ufw;

    “`
    $ sudo ufw disable
    “`
    The fail2ban service is being enabled on system startup.

    “`
    $ sudo systemctl service enable fail2ban
    “`
    The fail2ban service for its currently active. The fail2ban will now run and up. It will also have no syntax errors

    “`
    $ sudo systemctl service start fail2ban
    “`
    Restart the entire fail2ban server reports if any runtime errors. Fix the problems and then restart it again.

    “`
    $ sudo fail2ban-client restart
    “`

    The status of the server/jails will confirm.

    “`
    $ sudo fail2ban-client status sshd
    “`

    ## Conclusion

    We conclude One should able to configure some of the basic banning politics for the services. Fail2ban is very easy to set up and pleasant way to protect any kind of service that uses the authentication.