Fail2Ban: Install and Config – Ubuntu, CentOS – Protect SSH

Fail2ban helps to protect Linux servers from brute-force and DDOS attacks.

It scans logs for IP addresses that show the malicious signs and bans that IP addresses for a specified amount of time using iptables.

This article describes how to install and configure fail2ban on Ubuntu, CentOS and similar Linux distributions.

You’ll also learn how to protect SSH server from DDOS and brute-force attacks and how to manually unban IP address that was banned by fail2ban.

Install Fail2Ban on Ubuntu

Type the following command to install fail2ban on Ubuntu:

$ sudo apt-get install fail2ban

Install Fail2Ban on CentOS

There is no fail2ban package in the default CentOS repository, but it can be found in EPEL.

Cool Tip: Install EPEL repository in one command! Read more →

As only EPEL repository is enabled, you can install fail2ban:

$ sudo yum install fail2ban

Configure Fail2Ban

The default fail2ban configuration file is /etc/fail2ban/jail.conf.

However it is not recommended to modify /etc/fail2ban/jail.conf directly.

Instead, we should work with a local copy called jail.local, which will override the jail.conf file.

Make a local copy of fail2ban configuration file:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

$ sudo vi /etc/fail2ban/jail.local

Pay attention to the global options in [DEFAULT] section.

It covers the basic rules that fail2ban will follow:

Option	Description
ignoreip	Don’t ban a host which matches an address in this list. Several addresses can be defined using space separator.
bantime	Duration (in seconds) for IP to be banned for. Negative number for permanent ban. Default is 10 minutes.
findtime	The time window (in seconds) within which fail2ban keeps track failed login attempts. Default is 10 minutes.
maxretry	The number of failures before a host get banned. Default is 3 attempts.

If you want to set up more nuanced protection, you can override the global options and customize the details in each jail (section with rules for each application).

Protect SSH Server with Fail2Ban

After completing with [DEFAULT] section, go down and update [ssh-iptables] section as below:

[ssh-iptables]

# 'enabled = true' means that SSH protection is on.
# It can be turned off with 'enabled = false'.
enabled  = true
# Use filter: /etc/fail2ban/filter.d/sshd.conf
filter   = sshd
# Action describes the steps that Fail2Ban will take to ban a matching IP address.
action   = iptables[name=SSH, port=ssh, protocol=tcp]
# Send notifications to admin@example.com
           sendmail-whois[name=SSH, dest=admin@example.com, sendername="Fail2Ban"]
# Log location that Fail2Ban will track
logpath  = /var/log/secure
# if during 1 hour
findtime    = 3600
# 5 failed login attempts would be detected
maxretry    = 5
# host will be banned for 24 hours
bantime     = 86400

Fail2ban is not limited to SSH only. Out of the box Fail2Ban comes with filters for various services (SSH, apache, asterisk, postfix, etc.), but only [ssh-iptables] jail is activated by default.

Tweaking Fail2Ban Filters

If you wish to tweak the existing filters or add new filters, you can find them in the /etc/fail2ban/filter.d directory.

For example, to modify fail2ban filter for OpenSSH, edit the following file:

$ sudo vi /etc/fail2ban/filter.d/sshd.conf

Start Fail2Ban

fail2ban is already configured to start during the system boot by default.

Don’t forget to restart fail2ban, each time after making any changes in it’s settings:

$ sudo service fail2ban restart

Test Fail2Ban

To test fail2ban and to see the rules that fail2ban puts in effect, look at iptables:

$ sudo iptables -L

Manually UnBan IP Banned by Fail2Ban

Use the flowing command to manually unban IP address, banned by fail2ban:

$ sudo fail2ban-client set JAIL unbanip IP

Unban IP 192.168.1.101, that was banned according to [ssh-iptables] jail:

$ sudo fail2ban-client set ssh-iptables unbanip 192.168.1.101