Fail2Ban’s primary function is to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It determines the hosts to be blocked by monitoring log files (usually /var/log/auth.log) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. In most cases people use it to limit the number of login attempts that are allowed against SSH within a period of time, this can make it very difficult for an attacker to brute for a login.

The process for installing fail2ban under Ubuntu is to

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/fail.local
sudo /etc/init.d/fail2ban restart

after these initial steps have been completed if your running not running Ubuntu 9.04 you can skip the next section, unless your seeing Unexpected communication errors in the /var/log/fail2ban.log file.

These errors occur due to Ubuntu 9.04 running  Python 2.6 by default so some modifications are neeed

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python2.5
sudo vim /usr/bin/fail2ban-server

Change the first line from

#!/usr/bin/python

to

#!/usr/bin/python2.5

Once completed restart fail2ban and the communication errors should no longer occur

sudo /etc/init.d/fail2ban restart

Now that fail2ban is installed and working the next step is to configure it for your needs the following is an example /etc/fail2ban/jail.local file which has been configured for protecting SSH. Settings in jail.local will override the ones in jail.conf this is an example where all of the jails have been removed except the one for SSH.

# Fail2Ban local configuration file.

[DEFAULT]

ignoreip = 127.0.0.1 111.111.111.111 # Here you want to ignore IP's such as the IP of the Server its self, your IP and any other IPs that its important are not locked out.
bantime  = 600 # Default ban time for all jails of 10 minutes
maxretry = 3 

destemail = [email protected] # Email of where alerts should be sent to

banaction = iptables-multiport # Ban action

mta = ssmtp # MTA to be used im using ssmtp in the case but you could be using sendmail

[ssh] # This rule monitors ssh login attempts recorded in the /var/log/auth.log file and blocks the user after 3 attempts with the default bantime of 10 minutes

enabled = true
port    = ssh
filter  = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
 sendmail-whois[name=SSH, [email protected], [email protected]]
logpath  = /var/log/auth.log
maxretry = 3
Share this post

One Comment

  1. Ulf

    Thanks a bunch! Helped me to finally figure out how to use ssmtp as MTA fpr fail2ban.

Leave a Reply

CAPTCHA (required) Time limit is exhausted. Please reload CAPTCHA.