fail2ban on Ubuntu 14.04 64-bit

Fail2ban is a popular intrusion detection software package available for servers. It works by reading traffic logs, and spotting brute-force attacks via failed authentications. When failed logins are detected, the software reacts by issuing bans. The software is configurable, so if you accidentally forget your password, you are only banned for a short period of time.


fail2ban can scale from simple to complex configurations. Our configuration will just cover an SSH jail.

Our instructions were tested on InterServer`s OpenVZ VPS Hosting with Ubuntu 14.04 64-bit Minimal version.

The instructions cover:

  • Installing fail2ban.
  • Looking at the configuration file (jail)
  • Installing sendmail for notifications
  • Installing iptables to reduce additional threats

Requirements:

  • InterServer`s OpenVZ VPS Hosting with Ubuntu 14.04 64-bit (instructions are for minimal distribution, but should work for regular distribution as well).
  • Putty or similar SSH client
  • root login and password (or a sudo user)
  • nano installed (or other text editor).

Before we start

We will be making changes to restrict unauthorized access to your server. This means you could accidentally lose partial or full access to the server. This should not be attempted on a live production server, without first trying it on a test server to make sure it works. We cannot help you if something goes wrong. Please be careful.

Let`s secure our new server

Install fail2ban

  • sudo apt-get update
  • sudo apt-get install fail2ban

Copy the fail2ban jail.

  • cd /etc/fail2ban will get you to the directory for the jails
  • sudo cp jail.conf jail.local will copy the default jail to local. If you make a mistake, you can always overwrite the settings with the default configuration.

Configure the fail2ban jails (optional)

  • Open jail.local by typing sudo nano jail.local
  • Some important items you can change, if necessary:
  • ignoreip = 127.0.0.⅛ - fail2ban ignores traffic from your local network
  • bantime = 600 - how long a ban will last in seconds (5 minutes)
  • findtime = 600 - Time window between attempts
  • maxretry = 3 - Maximum number of attempts within findtime
  • destemail = root@localhost - you can change to your email. Watch your spam folder if nothing arrives.
  • mta = sendmail - Mailing interface. We will install sendmail later.

Enable the fail2ban jails (optional)

There are several jails available for popular services. It is up to you to enable them. Scroll down and find services you want fail2ban to monitor. Simply change to “Enable”. By default, SSH is enabled.

fail2ban is now minimally configured. Since we are using sendmail, lets install it. We will also install iptables, so we can block other undesirable traffic.

Let's install sendmail and iptables:

  • sudo apt-get install sendmail iptables-persistent
  • Let's issue some rules to iptables so that it lets traffic into ports 22 and 80. Everything else will be ignored (dropped). You can copy and paste these into Putty - copy here, right click at the console prompt):

sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP

Notice sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT, this was the command to accept traffic into port 80. Port 80 is used for web traffic. If you have a web server, failing to issue this command would ban prevent your web pages from being served. Please be careful when changing these rules.
If you have additional services running, like ftp, port 21, you would need to issue a firewall command to open the port.
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT would do the trick.

Check your iptables configuration

  • sudo iptables -S - this is case sensitive. Notice the commands issued by fail2ban.

Stop and Start fail2ban

  • sudo service fail2ban stop
  • sudo service fail2ban start
  • You can check fail2ban log files at /var/log/fail2ban.log

You are finished installing fail2ban. This was a very basic installation. You may for instance need to enable additional jails, especially if you are using software like a CMS, Wordpress, or anything where logging in is required. For additional fail2ban documentation, visit http://www.fail2ban.org/

This website is supported by our affiliation with web hosting companies. We encourage you to visit our friends at Interserver. They really do offer $6 per month VPS Hosting. Linux, windows and cpanel available, have super fast service, and they care about their customers!

See more articles in: Instructions, Videos, Security, InterServer, Ubuntu

comments powered by Disqus