Fail2ban is an intrusion prevention framework which works together with a packet-control system or firewall installed on your Cloud Server and is commonly used to block connection attempts after several failed tries.
Installing Fail2ban
It operates by monitoring log files for certain types of entries and runs predetermined actions based on its findings. You can install the software with the following
sudo apt-get install fail2ban
Once installed, copy the default jail.conf file to make a local configuration with this command
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then open the new local configuration file for edit with your favourite text editor, for example
sudo nano /etc/fail2ban/jail.local
Scroll down to go through some of the settings available in the configuration file.
First up are the basic defaults for ignoreip, which allows you to exclude certain IP addresses from being banned, for example, if your own computer has a fixed IP you can enter it here. Next set the bantime which determines how long an offending host will remain blocked until automatically unblocked. Lastly check the findtime and maxretry counts, of which the find time sets the time window for the max retry attempts before the host IP attempting to connect is blocked.
[DEFAULT] ignoreip = 127.0.0.1 bantime = 3600 findtime = 600 maxretry = 3
If you have a sendmail service configured on your cloud server, you can enable the email notifications from Fail2ban by entering your email address into the parameter destemail and changing the action = %(action_)s to action = %(action_mw)s.
Once you’ve done the basic configurations, check the different jails available in the configuration options. Jails are the rules which fail2ban applies to any given application or log file. SSH jail settings, which you can find at the top of the jails list, are enabled by default and not commented out.
[sshd] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
You can enable or disable other jail modules in the same fashion.
When you’ve enabled all the jails you wish, save the configuration file and exit the editor. Then you’ll need to restart the monitor with the following command
sudo systemctl restart fail2ban.service
With that done, you should now check your iptable rules for the newly added jail sections on each of the application modules you enabled.
sudo iptables -L
Any banned IP addresses will appear in the specific chains where the failed login attempts occurred at. You can also manually ban and unban IP addresses from the services you defined jails for with the following commands.
sudo fail2ban-client set <jail> banip/unbanip <ip address> # For example sudo fail2ban-client set sshd unbanip 83.136.253.43
Fail2ban is a handy addition to the iptables and firewall access control in general, feel free to experiment with the configuration and don’t worry if you get your own IP address banned, you can always log in through the web Console at your UpCloud Control Panel to unban yourself afterwards.
Amazing Grace Publishing
Please check to see if your documentation for Fail2ban needs updating to match 2018-2019. There are a few differences I found that needs editing.
Janne Ruostemaa
Thanks for checking out the guide! You are right that a few things have changed with Fail2ban since the documentation was last updated, we’ll make sure to refresh it again to reflect the changes.
Gregory
Hi!
Recently I installed fail2ban on a UpCloud VPS with Ubuntu 20.04 LTS.
The configuration is very simple and works fine on Ubuntu 18.04.
Unfortunately I have found that fail2ban is not banning IP’s on Ubuntu 20.04.
Fail2ban works, but not banns!
$ sudo ufw status verbose
does not show any IP bans.
Would you please to check your installation media of Ubuntu 20.04?
I think this issue could affect many other customers.
Thank you in advance.
$ nano /etc/fail2ban/jail.local
# =====================================
[DEFAULT]
banaction = ufw
banaction_allports = ufw
ignoreip = 127.0.0.1/8 ::1/ . . .
[sshd]
enabled = true
maxretry = 2
bantime = 24h
findtime = 1h
# =====================================
Janne Ruostemaa
Hi Gregory, thanks for the question. After a quick test, the ufw ban actions seem to work just fine with the default config. However, the “enable = true” is no longer require and might cause fail2ban to ignore the jail. We’ve updated the guide to reflect the changes. Once you’ve updated your config, restart fail2ban. You should then see any ban entries on the ufw firewall rules.
Gregory
Thank you for the rapid answer!
I think I have found the cause of this issues.
My wrong was that I was using one of the following commands to reload Fail2Ban configuration after editing ‘/etc/fail2ban/jail.local’ file
$ sudo systemctl reload fail2ban
$ sudo fail2ban-client reload
These commands works perfectly in 18.04.
Unfortunately the ‘reload’ functionality seems to be broken in the newer Fail2Ban version that is available from the 20.04 repository.
Only service restart was able to force Fail2Ban to load modified config (your manual recomends the same ;-).
sudo systemctl stop fail2ban
sudo systemctl start fail2ban
Thank you for your help!