In this tutorial, we are going to install and configure fail2ban. As fail2ban web page says: “Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.”
We are going to start installing it in our server (as always, I’m using Ubuntu 20.04 LTS):
$ sudo apt install fail2banWith this, we already have our server protected. We can check if the server it’s running typing:
$ sudo /etc/init.d/fail2ban statusWe also can make some additional configuration to make it more robust or more flexible. Let’s edit fail2ban jail configuration file:
$ sudo nano /etc/fail2ban/jail.confThis is a large file where we can check every service and port in our server. Typing “CTRL+W” we can search with a key word. In this time, we are going to configure ssh to protected from brute-force attacks. Typing “sshd” we are going to find something like this:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
bantime = 86400
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3In this case, I add and highlight 2 new options, bantime = 86400 this is the time that fail2ban is going to set on the firewall to block the attacking IP (where 86400 are seconds, so 24 hours in total); and maxretry = 3, the max of opportunities you have to correctly access to the server without getting blocked.
Testing fail2ban
I connect my phone to the 4G network and open Termux, then I made 3 attempts of connection with wrongs passwords:
After 3 fail intent of connection (in the screenshot we see 1 attempt with 3 wrong password), we can check our fail2ban log:
$ sudo cat /var/log/fail2ban