Last updated on August 26th, 2020 at 09:12 am
Hello there. Welcome to our tutorial on how to protect SSH server authentication with fail2ban on Ubuntu 18.04.
Fail2ban is intrusion prevention tool written in Python programming language to protect servers or any service that requires authentication from brute-force attacks. Fail2ban scans the server/service logs for any abnormally and ban any malicious IP associated with it. For example multiple SSH failed login attempts.
It achieves this by adjusting the firewall rules to reject any further attempt by the malicious host to authenticate to the same system or a service for a defined period of time. It can also be configure to sent notifications on the same.
As much as fail2ban mitigates such malicious issues as brute-forcing, it doesn’t alleviate any susceptibility to risks posed to your server/service by the weak authentication mechanisms. Therefore, ensure that you implement good authentication mechanisms for your systems/services.
Install Fail2Ban on Ubuntu 18.04
Fail2ban is available on the default Ubuntu 18.04 repositories and can simply be installed by running the command below;
sudo apt update sudo apt install fail2ban -y
The configuration files for fail2ban are located under
/etc/fail2ban directory with
jail.conf being the main configuration file.
In order to configure fail2ban to protect specific services, copy the
jail.conf to custom
jail.local configuration file. Direct modification of
*.conf files is not recommended since in case of an upgrade, they will be overwritten and changes made in them will be lost.
Therefore, you can copy the main configuration file,
jail.local and make your own customizations or you can simply create a new custom configuration and define only settings you wish to overwrite in the main
You can however use the
jail.conf to guide you on settings you would like to override.
Fail2ban Global Settings
[DEFAULT] section of the configuration file defines settings that are applied to all the services that are protected by fail2ban. In this section, you may want to override settings like
To customize your
jail.local, edit it and put the following contents
[DEFAULT] ignoreip = 192.168.43.149 bantime = 1440m findtime = 5m maxretry = 5 destemail = [email protected] sender = [email protected]<fq-hostname> mta = postfix
These parameters are described below;
ignoreip– This is used to define IP addresses that are exempted from being banned by fail2ban. Mulitple IP addresses can be defined using space separator. Fail2ban doesnt ban any host by default.
bantime– Defines how long a host is blocked when it fails to authenticate correctly to the server. It is usually 10 minutes by default.
findtime– Defines a time window period in which a host is blocked if it generates a specific number of authentication retries defined by
maxretryparameter. It is usually 10 minutes by default.
maxretry– Defines a maximum number of failures before a host is blocked. The default is 3.
destemail– It specifies an email address to sent notifications to in case you want to be notified whenever a host is banned.
sender– This parameter defines the value of the “From” field in the email sent.
mta– Specifies the mail transfer agent for mailing.
Configure SSH Jail Settings
In order to define settings that applies only to a specific service for example SSH, you need to create a section for that service. By default, the SSH service is enabled while all other services are disabled. To block the failed login attempts on the SSH server, create a jail like as shown below.
# SSH Jail to block multiple failed login attempts [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log
The parameters used are described below;
enabled: This option turns on SSH server protection.
port: Defines the service that fail2ban is set to monitor
filter: Defines the configuration file located in the
/etc/fail2ban/filter.d/directory that fail2ban uses to find matches and in this case,
logpath: This parameter specifies the location service log file.
Once you are done with configurations , save the configuration file and start and enable fail2ban to run on system boot.
systemctl start fail2ban systemctl enable fail2ban
As you can see under ACTIONS, fail2ban uses
iptables to block or ban any source IP that may be involved in suspicious authentication attempts.
... # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports ...
Check Ban Status
Fail2ban operates in a client-server model. The server program
fail2ban-server is responsible for monitoring log files and issuing ban/unban commands whereas the
fail2ban-client reads the configuration files and issue corresponding configuration commands to the server.
To check for banning status, run the command below;
fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
This will show you the jails that have been activated. In this case, sshd.
Banning can also be done manually using the
fail2ban-client command. For example, to ban a specific IP, run the command;
fail2ban-client set sshd banip 192.168.43.220 192.168.43.220
If you can check the status of the jail now, you will find out a list of banned IPs.
fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 1 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.43.220
To unblock the IP,
fail2ban-client set sshd unbanip 192.168.43.220
Test SSH Banning
Before you can conclude that fail2ban is actually working, you need to test it out. Therefore, based on our defined settings above, for an IP to be banned, it has to try at least 5 failed login attempts in five mins. Therefore, you can try to failed ssh logins to your server and check the status of the jail.
fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 7 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 192.168.43.69
You can also check the fail2ban log entry;
tail -f /var/log/fail2ban.log 2018-11-30 00:04:21,048 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:00:25 2018-11-30 00:04:21,048 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:00:27 2018-11-30 00:04:21,049 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:21 2018-11-30 00:04:21,050 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:26 2018-11-30 00:04:21,050 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:29 2018-11-30 00:04:21,051 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:38 2018-11-30 00:04:21,052 fail2ban.filter : INFO [ssh] Found 192.168.43.69 - 2018-11-30 00:01:40 2018-11-30 00:04:21,358 fail2ban.actions : NOTICE [ssh] Ban 192.168.43.69
Once you have been blocked and try to ssh again,
ssh [email protected] ssh: connect to host 192.168.43.154 port 22: Connection refused
Well, from the output above, you can see that fail2ban works fine. Feel free to explore more about this beautiful tool. That is all it takes to protect your SSH server with Fail2ban. In our next article, we will see how to protect other services in the same way. Thanks for reading. We hope this was informative.
Install and Configure Snort 3 NIDS on Ubuntu 20.04
Install and Configure AIDE on Ubuntu 20.04
Install and Configure Tripwire Security Monitoring tool on CentOS 8