Enhancing Ubuntu 22.04 Security with Fail2ban: Automated Protection Against Cyber Threats
Fail2ban is an essential open-source security tool designed to enhance the protection of Ubuntu systems by actively monitoring log files for suspicious activities and taking automated actions to thwart potential threats. It operates through customizable filters, which allow administrators to define patterns indicative of malicious behavior, such as repeated failed login attempts or unusual access patterns. Upon detection, Fail2ban can dynamically update firewall rules to block the offending IP address, send notifications to system administrators, or execute other predefined actions. With its ability to adapt to evolving threats and its seamless integration with Ubuntu environments, Fail2ban serves as a vital component in maintaining the integrity and security of Ubuntu systems against various cyber threats.
Steps to Install Fail2Ban on UBUNTU 22.04
To secure your server, take these steps to set up and configure Fail2Ban:
- Using ssh, connect to your UBUNTU 22.04 server.
- Update your system:
sudo apt-get update -y
Fail2Ban is included by default in the official Ubuntu package repository. The command to install Fail2Ban is:
sudo apt-get install fail2ban -y
The following command to clear your repository cache:
sudo apt-get clean
Run the following command to enable the Fail2Ban protection service at startup time, using the systemctl command:
sudo systemctl enable fail2ban
Fail2Ban should now be installed.
Configure Fail2Ban settings!
Open the Fail2Ban configuration file, with your favorite text editor.
sudo nano /etc/fail2ban/jail.local
Update/append as follows:
[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 3
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
# Call iptables to ban IP address
banaction = iptables-multiport
# Enable sshd protection
[sshd]
enabled = true
Save and close the file. After that, start or restart the service.
sudo systemctl restart fail2ban
Fail2Ban filters
In /etc/fail2ban/filter.d/, you’ll discover a number of filters/jails for Fail2Ban. You can take a look using a command like:
You will see an overview. Choose a name for the authentication filter, such as sshd.conf
Open the jail file with your favorite text editor:
sudo nano /etc/fail2ban/filter.d/sshd.conf
You may now use the following syntax to add the jail filter:
[jailname]
enabled = true
filter = jailname
logpath = /var/log/yourlogfile
Jailname: Replace this name with one of your choosing so that you can readily recognize it while checking Fail2ban's status.
enabled: This value must always be true or else, your jail will be deactivated.
filter: In this field, type the name of the jail you want to visit. If you choose sshd.conf in step 1, for example, type sshd here.
logpath: This is where you inform Fail2ban which file to scan for assaults on your server.
What are the steps to start, stop, and restart the Fail2Ban service?
You can use the following systemctl commands to interact with the Fail2Ban service:
sudo systemctl start fail2ban
sudo systemctl stop fail2ban
sudo systemctl restart fail2ban
sudo systemctl status fail2ban
Finding status of failed and banned IP address
The current state of the log file containing the password failure report.
sudo fail2ban-client status
sudo fail2ban-client status sshd