Grid Guides

Explore How System On Grid Can Work For You

How to Protect SSH with Fail2ban on Ubuntu 18.04


Table of Contents

Introduction

Fail2ban is a utility that monitors the system logs for symptoms of an automated attack on the server. This tool blocks the IP addresses that lead to many password failures. Most important is that if we are running on the ubuntu 18.04 VPS, Fail2ban should give the server an edge that will help in fights of hackers automatically. Fail2ban can also help and add a new rule to iptables to block the IP address of the attacker which may be for a certain amount of time or permanently. Fail2ban can also alert through a mail about the occurrence of threat.

Prerequisites

A VPS web host. You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, Initial server setup with Ubuntu 18.04. Shell access will be on the Linux server.

Installation of Fail2ban on Ubuntu

The primary step that needs to be done should be on the latest package list from the Ubuntu repository. Update the local package index so we can apt to download and install the package:

$ sudo apt-get update
$ sudo apt-get install fail2ban

Press Y and hit enter when prompted to confirm the installation.

Understanding the Fail2ban Configuration File

Fail2ban has the default filtering rules but anyone can create their configuration file to customize different security settings depends on needs. The default configuration file (‘/etc/fail2ban/jail.conf’) can never be edited because it can be improved or can be overwritten in a distribution update.

The default behavior of fail2ban is to read ‘.conf’ first followed by ‘.local’ files. Which means they should create their own ‘.local’ files if anyone wants their customization settings. If multiple files are needed to handle the security of each service separately and ‘.local’ files under ‘/etc/fail2ban/jail.d’ in one directory.

Configuration of Fail2ban

Fail2ban .conf contains the default configuration profile.default settings will give reasonable working setup if the changes are to be made its best to separate file from the other suppose for example ‘fail2ban .local’, which will override ‘fail2ban .conf’. So rename that ‘fail2ban .conf’ to ‘fail2ban .local’.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

From here we can edit the definitions :

Loglevel

The level of detail that fail2ban logs provide can be set to 1(error), 2(warn), 3(info) or 4(debug)

Logtarget

Logs action into a specific file and default value of /var/log/fail2ban log puts logging into the file.

Creation of Jail Settings

Here, we create a default configuration file from scratch, we will copy the default configuration file and then edit the settings that we will override.

$ sudo cp  /etc/fail2ban/jail.conf  /etc/fail2ban/jail.local

To edit the new configuration file, open nano editor;

$ sudo nano /etc/fail2ban/jail.local

Edit the settings under [DEFAULT] entry:

[DEFAULT]
....
$ bantime =10m
$ findtime =10m
$ maxretry =5
....

The settings above applied for every service that does not have the entries overridden in services.

Bantime

Represents that the time that a host is banned before it can allow services to try the service again.

Findtime

The maximum amount of time that a host should wait before the ban of a host if it has generated the maximum retries for a service.

Maxtry

Represents the total number of failures that a host should generate before any server is banning it.

The default settings indicate that the host will be blocked for 10 minutes if it generates more than 5 failed attempts within 10 minutes. The changes can be modified according to the needs that are needed.

Once you are done with the editing file. Press the keys CTRL+X, Y, and enter to save the file.

Below it gives the bantime, findtime, maxtry in the default settings briefly. In the default settings;

bantime

Putting All Together:

Installation of the Server:

sudo apt-get install -y openssh-server

Sendmail Configurations:

To receive the email when the fail2ban is triggered adjust the settings. So the email has the following;

Destemail

The email address would reach finally.

Sendername

Name under which email is shown.

Sender

The email address where the sender sends the emails.

$ sudo apt-get install fail2ban sendmail

Sshd Configuration:

The command can be written as;

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

As we have already discussed it above.

$ sudo vim /etc/fail2ban/jail.local

fail2ban

Above we can see the sensible Fail2ban configuration blocks and their values. Here, We can see destmail, sender and a sender name in the default settings.

The fail2ban configuration blocks and values are here. the host is banned if it generated ‘maxtry’ during its ‘findtime’. The local file is copied over here.

UFW

UFW is the popular and conventional firewall configuration tool that is originally from the Ubuntu distributions. The commands are commented based on the firewall rules that are ‘comment ssh’.

Install ufw

$ sudo ufw allow OpenSSH

For the enable the ufw;

$ sudo ufw enable

For the disable the ufw;

$ sudo ufw disable

The fail2ban service is being enabled on system startup.

$ sudo systemctl service enable fail2ban

The fail2ban service for its currently active. The fail2ban will now run and up. It will also have no syntax errors

$ sudo systemctl service start fail2ban

Restart the entire fail2ban server reports if any runtime errors. Fix the problems and then restart it again.

$ sudo fail2ban-client restart

The status of the server/jails will confirm.

$ sudo fail2ban-client status sshd

Conclusion

We conclude One should able to configure some of the basic banning politics for the services. Fail2ban is very easy to set up and pleasant way to protect any kind of service that uses the authentication.