In this guide, we want to teach you to Install and Configure Fail2ban on Ubuntu 22.04.
Fail2Ban is a commonly used Intrusion Prevention System (IPS) written in Python. With its inception as an open-source Python product in 2004 being a hit in the development community, development has continued to the present.
Fail2Ban is designed to help servers of all types avoid brute-force attacks. It utilizes a variety of customizable features to accomplish this goal.
Steps To Install and Configure Fail2ban on Ubuntu 22.04
To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide the Initial Server Setup with Ubuntu 22.04.
Installing Fail2ban on Ubuntu 22.04
By default, Fail2ban packages are available in the default Ubuntu 22.04 repository.
First, update and upgrade your local package index:
sudo apt update && sudo apt upgrade -y
Then, use the command below to install Fail2ban:
sudo apt install fail2ban -y
Now you need to run the command below to start and enable your Fail2ban service:
sudo systemctl enable fail2ban --now
Verify your Fail2ban service is active and running on Ubuntu 22.04:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres>
Active: active (running) since Tue 2022-09-20 06:48:30 UTC; 32s ago
Main PID: 1261 (fail2ban-server)
Tasks: 5 (limit: 4575)
└─1261 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Configuring Fail2ban on Ubuntu 22.04
After completing the installation, you need to do some setup and basic configuration. To do this, follow the steps below.
Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf.
Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.
Backup Fail2ban Settings
At this point, use the following command to create a copy of the configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then, verify that the jail.local file exists within /etc/fail2ban/ directory:
Make Configuration changes at jail.local file
At this point, open the local configuration file with your favorite text editor here we use vi:
sudo vi /etc/fail2ban/jail.local
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.
At this point, you should add your local PC IP address and all other machines that you want to whitelist.
Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 18.104.22.168 192.168.1.0/24
At this point, find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:
bantime = 1d
To permanently ban the IP, you can use a negative number.
The findtime is the duration between the number of failures before a ban is set.
The maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.
Fail2ban can send email alerts when an IP has been banned on Ubuntu 22.04.
To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:
action = %(action_mw)s
If you want to receive the relevant logs too, you should set this to the:
action = %(action_mwl)s
Also, you can adjust the sending and receive email addresses:
destemail = [email protected] sender = [email protected]
Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.
By default, only the ssh jail is enabled.
You can also create your own jail configurations. To enable a jail, you need to add
enabled = true after the jail title.
For example, to enable the postfix jail you can do this:
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
When you are done, save and close the file.
Finally, restart Fail2ban on Ubuntu 22.04 with the following command to apply these changes:
sudo systemctl restart fail2ban
Let’s see how to use Fail2ban.
How To Use Fail2ban
Fail2ban comes with a command-line tool named fail2ban-client. You can use this command to interact with the Fail2ban service.
You can list all available options with the following command:
Usage: fail2ban-client [OPTIONS] <COMMAND>
Fail2Ban v0.11.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
-c, --conf <DIR> configuration directory
-s, --socket <FILE> socket path
-p, --pidfile <FILE> pidfile path
--pname <NAME> name of the process (main thread) to identify instance (default fail2ban-server)
--loglevel <LEVEL> logging level
--logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout.
This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:
To check the status of jail you can use the following command:
sudo fail2ban-client status sshd
Also, you can unban an IP with the following command:
sudo fail2ban-client set sshd unbanip 22.214.171.124
To ban an IP you can use the following command:
sudo fail2ban-client set sshd banip 126.96.36.199
If you don’t want to use Fail2ban anymore, you can easily disable it with the command below:
sudo systemctl disable fail2ban --now
Then, remove the Fail2ban with the command below:
sudo apt autoremove fail2ban --purge -y
At this point, you have learned to Install and Configure Fail2ban on Ubuntu 22.04.
Hope you enjoy it.
Also, you may be like these articles: