C.J. Scarlett

Installing Fail2ban on Ubuntu 18.04 (Bionic Beaver)

Fail2ban Logo

Preamble

A highly condensed set of basic commands to install Fail2ban the traditional way. These can be executed on any remote server/VPS running recent versions of Ubuntu; although the process was carried out by myself on 18.04. If you’re not familiar with Fail2ban, the start of this brief guide refers to two good resources you can read up on. One more up to date than the other.

The purpose of this post is to serve as background for a follow up post which uses Ansible to install the Fail2ban package and configuration more efficiently (linked at the end).


Installing Fail2ban

Several of the instructions for this process are taken and adapted from an older article on DigitalOcean. They’re intended for Ubuntu 14.04 but are still overall suitable on Bionic:

DigitalOcean – “How To Protect SSH with Fail2Ban on Ubuntu 14.04”

It might be better to read through this more up to date Linode article instead however to understand what Fail2ban is, how it works, and most importantly what different values to place into the configuration files. Otherwise this may not make complete sense before doing so.

It may even be more preferable to follow the Linode guide in its entirety, but that’s up to you!

See below:

Linode – “Use Fail2ban to Secure Your Server”

On the remote Ubuntu server in question, update the system package index.

1
$ sudo apt-get update -y

Download and acquire the fail2ban plus sendmail packages.

1
$ sudo apt-get install fail2ban sendmail

Sendmail (if not present by default) is required for Fail2ban to generate notification emails.

Copy the base Fail2ban config into a new jail.local file, in order to begin adding in the config options we want overridden and applied:

1
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Note: “Fail2ban reads .conf configuration files first, then .local files overriding any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.”

Here’s where an understanding of the configuration is very much necessary.

Having a working firewall such as UFW on Ubuntu is also a background assumption I’m working with here, as the two can work together, and a firewall’s kinda mandatory anyway of course.

Open the newly copied jail.local file.

1
$ sudo vim /etc/fail2ban/jail.local

Add in your sensible Fail2ban configuration blocks and values now; this is my example file contents, should you want to make use of them:

/etc/fail2ban/jail.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[DEFAULT]

# email address to receive notifications.
destemail = root@localhost
# the email address from which to send emails.
sender = root@<fq-hostname>
# name on the notification emails.
sendername = Fail2Ban
# email transfer agent to use.
mta = sendmail

# see action.d/ufw.conf
actionban = ufw.conf
# see action.d/ufw.conf
actionunban = ufw.conf

[sshd]
enabled = true
port = ssh
filter = sshd
# the length of time between login attempts for maxretry.
findtime = 600
# attempts from a single ip before a ban is imposed.
maxretry = 5
# the number of seconds that a host is banned for.
bantime = 3600

Note: “A host is banned if it has generated “maxretry” during the last “findtime”.”

Lastly here enable the Fail2ban service on system startup.

1
$ sudo systemctl service enable fail2ban

Then start the service so it’s currently active.

1
$ sudo systemctl service start fail2ban

Fail2ban is now up and running - assuming you entered proper configuration options and have no syntax errors.

As an alternate to using Systemd, restarting the entire Fail2ban server reports any runtime errors, should there be any issue, so…

1
$ fail2ban-client restart

Fix any reported problems in the output, and then restart again.

There’s also a command to confirm the status of the server/jails.

Try it out:

1
$ fail2ban-client status

More specific information about the sshd jail we created in the config file is retrievable with:

1
$ fail2ban-client status sshd

Many more useful commands for you to explore are available, indexed at the following wiki:

Fail2ban Client CLI Commands

Fail2ban is now installed, running, and working!

Add more jails and actions for other services to expand upon it.

The post leading on from this one achieves the same end result but using Ansible configuration management to do the job:

“Installing Fail2ban with Ansible on Ubuntu 18.04 (Bionic Beaver)”


More Information

Easily deploy an SSD cloud server on Digital Ocean in 55 seconds. Sign up using my link and receive $10.00 in free credit: https://www.digitalocean.com/?refcode=e91058dbfc7b

– Scarlz: @5car1z