How to Install and Configure Fail2ban on Ubuntu 16.04

If your server is connected with the Internet, It requires some kind of protection. We can mitigate every attack or threat with proper tools. There is one type of attack called Bruteforce attack. In Bruteforce attack, an attacker tries to apply multiple username-password combinations from the database he/she has. With correct combination, the attacker can log in to your server and you know the rest of the story. We can configure Fail2Ban on our server to mitigate the bruteforce attacks. In this guide, I will show you How to install and configure Fail2Ban on your Ubuntu 16.04 VPS.

First of all, Let me tell you How exactly the bruteforce attack works so that you can understand How Fail2Ban can mitigate the issue.

What is a Bruteforce Attack?

When you enter the username and password in a login form and then hit the Submit button, The website will send request to the server on a specific URL with the data. The attacker can pick the URL (As it is public) and can send multiple login requests with multiple username-password combination.

The attack will continue until the username-password combination matches. There is a little twist here, Web servers log every successful and unsuccessful request it receives along with the IP address. It means that we can count unsuccessful login requests in the log file for a specific IP address.

Now comes the important part. It is okay to find two or three failed login attempts from a specific IP address in one minute. But it is not okay to find 30-40 failed login attempts from a specific IP address in one minute. If you find unnatural number of login attempts in any given time, It is probably a bruteforce attack.

Reading log files 24*7 manually is not an efficient way to protect your server against bruteforce attacks. You can automate the process with Fail2Ban!

What is Fail2Ban?

Fail2Ban is an intrusion prevention tool that we can configure on our server to prevent bruteforce attacks. Fail2Ban will automatically scan the log files. If it finds unnatural number of failed login attempts, it will simply block the IP address using Firewall for some time.

We can configure Fail2Ban according to our requirements. It means that we can mention the number of failed login attempts we want to allow in a specific timeframe. If the number of failed login attempts are more than that, it will block the IP address for some time (Again, we can set this block duration in our configuration file).

As we now know what is bruteforce attack and how Fail2Ban can help us, we can move on to the installation part. Note that installation on Ubuntu will require sudo privileges. If you do not have sudo privileges, you can also log in as a root user.

Install Fail2Ban on Ubuntu 16.04

Fail2Ban is very easy to install. Configuration part requires some manual work, but is is very easy. We just have to update the configuration file to enter our numbers. Considering you already have an Ubuntu VPS, execute the following commands to update repositories and packages with newer versions available.

$ sudo apt-get update
$ sudo apt-get upgrade -y

Once the process is complete, execute the following command to install Fail2Ban on your Ubuntu 16.04 server.

$ sudo apt-get install fail2ban -y

It will take few minutes to install Fail2Ban. After installation, Execute the following commands to allow connection on port 22(SSH) and then enable the firewall on the server. Do not forget to allow connections on SSH. It is because if you will not allow connections on SSH, you will be locked out of your server.

$ sudo ufw allow ssh
$ sudo ufw enable

The installation part is done. Now, we can move on to configuration part. We will update Fail2Ban configuration file according to our requirements.

Configure Fail2Ban on Ubuntu 16.04

Fail2Ban will follow the configuration file located at /etc/fail2ban/jail.local. It does not come with the configuration file. So, we have to create it. Execute the following command to create a configuration file for Fail2Ban.

$ sudo nano /etc/fail2ban/jail.local

Once you are in the edit mode, paste the following content in your configuration file.

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Now, press CTRL+X followed by Y followed by Enter to save the configuration. Now, we have to restart the Fail2Ban service to apply the changes. Before doing that, Let’s first understand what is happening here and what all these directives mean.

  1. ignoreip: In this directive, we will enter the IP addresses that we do not want to ban. Right now, we have entered the Localhost IP addresses in IPv4 and IPv6 formats. It means that Fail2Ban will not ban the server itself from logging in.
  2. bantime: This is the time in seconds for which the blocked IP address will not be able to login. Once the IP address is blocked, you cannot login again for 3600 seconds.
  3. findtime: findtime is a time frame in which counting will happen. In this case, the findtime is 600 seconds or 10 minutes. So, If someone fails to login for X times in 10 minutes, Fail2Ban will block the IP address.
  4. maxretry: maxretry is a number of failed login attempts. In this case, It is 5. It means that after 5 failed tries, Fail2Ban will block the IP address.

Based on our current configuration, If Fail2Ban will find 5 login attempts from same IP address in last 10 minutes, it will block the IP address for 1 hour or 3600 seconds. Now, Let us restart the Fail2Ban service to apply the changes we have made in the configuration. Execute the following command to do so.

$ sudo service fail2ban restart

Now, your SSH service is protected. This is how you can protect your server from Bruteforce attacks using Fail2ban.

 

Conclusion: Fail2Ban is very easy to use and efficient. And it is always good to protect your server from unwanted login attempts. A successful bruteforce attack is hardly possible if you are using a very strong password. If you are using weak passwords, I highly recommend you to install and configure Fail2Ban right now on your server. It takes less than a 10 minutes to protect your Ubuntu 16.04 server by configuring Fail2Ban.

If you have any question or if you are stuck somewhere in the process, please use the comment section. We will respond as soon as possible with help!

Leave a Reply