Best Fail2ban Setup on Ubuntu 22.04 | Full Steps – OrcaCore
In this comprehensive guide, we will walk you through the complete process of setting up Fail2ban Setup on Ubuntu 22.04. Fail2Ban is a widely adopted Intrusion Prevention System (IPS) written in Python. Since its inception as an open-source Python project in 2004, it has garnered significant popularity within the development community, with ongoing development and enhancements.
Fail2Ban is specifically designed to safeguard servers of all kinds against brute-force attacks. It employs a range of customizable features to achieve this objective. Now, let’s proceed with the following steps on the Orcacore website to initiate your Fail2ban Setup on Ubuntu 22.04.
Before we begin, ensure you are logged into your server as a non-root user with sudo privileges. If needed, refer to our guide on the Initial Server Setup with Ubuntu 22.04 for assistance.
1. Install and Enable Fail2ban on Ubuntu 22.04
Fail2ban packages are readily available in the default Ubuntu 22.04 repository. First, update and upgrade your local package index:
sudo apt update && sudo apt upgrade -yNext, install Fail2ban using the following command:
sudo apt install fail2ban -yNow, start and enable the Fail2ban service using the command below:
sudo systemctl enable fail2ban --nowVerify that your Fail2ban service is active and running on Ubuntu 22.04:
sudo systemctl status fail2ban
2. Configure Fail2ban on Ubuntu 22.04
After the installation, some setup and basic configuration are required. Follow the steps below to achieve this.
Fail2ban comes with two configuration files located in /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is crucial not to modify these files directly, as they are the original configurations and will be overwritten during future Fail2ban updates.
Backup Fail2ban Settings
Create a copy of the configuration file using the following command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localVerify that the jail.local file exists within the /etc/fail2ban/ directory:
ls /etc/fail2ban/jail.localOutput
/etc/fail2ban/jail.localMake Configuration changes at the jail.local file
Open the local configuration file with your preferred text editor (e.g., vi):
sudo vi /etc/fail2ban/jail.localIP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. It’s best to whitelist your local PC IP address and any other machines you trust.
Find the "ignoreip" line, uncomment it by removing the hashtag, and add your IP addresses separated by spaces:
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24The bantime line determines the duration for which an IP is banned. By default, it’s set to 10 minutes. You can adjust this value as needed:
bantime = 1dTo permanently ban an IP, you can use a negative number.
The findtime specifies the time window during which the number of failures is counted before a ban is triggered.
The maxretry defines the number of failed attempts allowed before an IP is banned. The default value of five is generally suitable for most users.
Fail2ban can send email alerts when an IP has been banned on Ubuntu 22.04.
To receive email messages, an SMTP server must be installed on your server, and the default action needs to be modified. It initially only bans the IP:
action = %(action_mw)sTo receive relevant logs as well, set it to:
action = %(action_mwl)sYou can also customize the sending and receiving email addresses:
destemail = admin@orcacore.com
sender = root@orcacore.com3. Configure Fail2ban jails on Ubuntu 22.04
Fail2ban utilizes the concept of jails. A jail represents a service and includes filters and actions.
By default, only the SSH jail is enabled.
You can create custom jail configurations. To enable a jail, add enabled = true after the jail title.
For instance, to enable the postfix jail:
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.logSave and close the file after making the changes.
Finally, restart Fail2ban on Ubuntu 22.04 to apply these changes:
sudo systemctl restart fail2banNow, let’s explore how to use Fail2ban.
4. How To Use Fail2ban? Fail2ban Client
Fail2ban includes a command-line tool called fail2ban-client. This tool allows you to interact with the Fail2ban service.
You can list all available options using the following command:
fail2ban-client -h
This tool allows you to ban/unban IP addresses, modify settings, restart the service, and more. Here are some examples:
To check the status of a jail (e.g., sshd):
sudo fail2ban-client status sshdTo unban an IP address:
sudo fail2ban-client set sshd unbanip 23.34.45.56To ban an IP address:
sudo fail2ban-client set sshd banip 23.34.45.565. Uninstall Fail2ban From Ubuntu 22.04
If you no longer require Fail2ban, you can easily disable it:
sudo systemctl disable fail2ban --nowThen, remove Fail2ban:
sudo apt autoremove fail2ban --purge -yConclusion
You have now successfully learned how to install and configure Fail2ban Setup on Ubuntu 22.04. Fail2ban provides valuable protection against brute-force attacks by monitoring log files and automatically banning IPs exhibiting malicious behavior. With a minimal setup, Fail2Ban adds a crucial layer of security to your system.
Hopefully, you found this guide helpful. Please follow us on Facebook, X, and YouTube.
Also, you may find these articles interesting:
How to change the SSH port in Ubuntu
Install RPM Packages on Ubuntu 20.04
Install Vagrant on Ubuntu 20.04
Alternative Solutions for Intrusion Prevention
While Fail2ban is a robust and widely used solution for intrusion prevention, several alternative approaches can provide similar or complementary protection. Here are two different ways to address the problem of brute-force attacks:
1. Using a Web Application Firewall (WAF)
A Web Application Firewall (WAF) is designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. Unlike Fail2ban, which primarily works at the system level by analyzing logs, a WAF operates at the application level. This allows it to detect and block attacks that Fail2ban might miss, such as SQL injection, cross-site scripting (XSS), and other application-specific vulnerabilities.
Explanation:
A WAF analyzes incoming requests to identify malicious patterns or anomalies. It can use a variety of techniques, including signature-based detection, anomaly detection, and behavioral analysis, to determine whether a request is legitimate or malicious. If a request is deemed malicious, the WAF can block it, redirect it, or log it for further analysis.
Implementation (Example using ModSecurity with Apache):
ModSecurity is a popular open-source WAF that can be integrated with Apache web servers. Here’s how to set it up:
First, install ModSecurity and the Apache connector:
sudo apt update
sudo apt install libapache2-mod-security2Enable the ModSecurity module in Apache:
sudo a2enmod security2
sudo systemctl restart apache2Configure ModSecurity by editing the modsecurity.conf file:
sudo nano /etc/modsecurity/modsecurity.conf-recommendedChange the following settings:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess OffDownload and configure the OWASP ModSecurity Core Rule Set (CRS), which provides a set of pre-defined rules to protect against common web application attacks:
cd /etc/modsecurity/
sudo mv modsecurity.conf-recommended modsecurity.conf
sudo cp unicode.mapping.recommended unicode.mapping
sudo wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.tar.gz
sudo tar -xvzf v3.3.2.tar.gz
sudo mv coreruleset-3.3.2 crs
cd crs
sudo cp crs-setup.conf.example crs-setup.conf
sudo nano crs-setup.confEnable the CRS rules by adding the following line to /etc/apache2/mods-available/security2.conf:
IncludeOptional /etc/modsecurity/crs/rules/*.confRestart Apache:
sudo systemctl restart apache2Now, ModSecurity with the OWASP CRS will protect your web application by analyzing HTTP traffic and blocking malicious requests.
2. Using Port Knocking
Port knocking is a method of externally opening ports on a firewall by sending a sequence of connection attempts ("knocks") to a predefined set of closed ports. Once the correct sequence of knocks is received, the firewall rules are dynamically modified to allow the client’s IP address to connect to a specific service port (e.g., SSH).
Explanation:
Port knocking adds a layer of obscurity to your services, making it more difficult for attackers to discover open ports. It does not rely on analyzing logs like Fail2ban, but rather on verifying the correct sequence of connection attempts.
Implementation (Example using knockd):
Install knockd:
sudo apt update
sudo apt install knockdConfigure knockd by editing the /etc/knockd.conf file:
sudo nano /etc/knockd.confAdd the following configuration:
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = synThis configuration defines two sequences: openSSH and closeSSH. The openSSH sequence opens port 22 (SSH) for the client’s IP address, while the closeSSH sequence closes it. The sequence line specifies the ports to knock on, and the command line defines the iptables command to execute.
Edit /etc/default/knockd and set START_KNOCKD=1:
sudo nano /etc/default/knockdSTART_KNOCKD=1Start and enable knockd:
sudo systemctl enable knockd
sudo systemctl start knockdNow, to connect to SSH, you need to send the correct sequence of knocks to ports 7000, 8000, and 9000. After that, port 22 will be open for your IP address. To close the port, send the reverse sequence (9000, 8000, 7000).
These alternative solutions, WAFs and Port Knocking, offer different approaches to intrusion prevention compared to Fail2ban. WAFs provide application-level protection, while Port Knocking adds a layer of obscurity. Depending on your specific needs and environment, you may choose to use one or more of these solutions to enhance your server’s security posture. The Fail2ban Setup on Ubuntu 22.04 is still a solid choice.
