How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu) | ServerMom

4/12/14 1:56 PM

How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu)
Fail2Ban is a simple script designed to scan log files for repeated failed login attempts and to ban IP addresses that make too many failures. Commonly thats a brute force attempt to find correct password combination to login to a server via SSH. While Ive posted how to set maximum connection limit from an IP address to your server by updating Iptables rules, Fail2ban will simply update firewall rules to reject the IP address automatically (once detected attempting a brute force). Yet, I also posted some basic and common practices for initial Ubuntu server setup including how to disable root login and change default SSH port. But in many cases that shouldnt be enough. So if youve just finished the whole steps to build your own production server on Ubuntu, you may also need to install Fail2ban on it. In this page Ill try to explain necessary steps how to install Fail2ban and some basic configurations.

How to Install and Setup Fail2ban

Step 1 Login to your server via your favorite SSH client. Windows users can simply use Putty, it is free, small, portable and awesome. If youve disabled root login, then simply login with the username you setup then type su followed by entering your root password. Step 2 Now issue this command syntax to install fail2ban on your server: You may firstly need to update your apt (not necessary but you may): then this command is the one to install fail2ban screenshot:

http://www.servermom.org/how-to-install-fail2ban-to-protect-server-from-brute-force-ssh-login-attempts-ubuntu/370/

Page 1 of 5

How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu) | ServerMom

4/12/14 1:56 PM

Step 3 Now you have to setup Fail2bans configuration. By default, Fail2ban configuration has included many of possible services that may need the protection. Before you make changes to default config file, you have to make a copy first. Issue following command:
1cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

It should look like this

Step 4 The command above copies jail.conf file to jail.local which you can make some changes to the config there. Now edit that file using our favorite text editor, Nano:
1nano /etc/fail2ban/jail.local

It should look like this..

http://www.servermom.org/how-to-install-fail2ban-to-protect-server-from-brute-force-ssh-login-attempts-ubuntu/370/

Page 2 of 5

How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu) | ServerMom

4/12/14 1:56 PM

Step 5 Now make some changes (if you wish and if you need to) in the first section of the config. The first section called DEFAULT which is covering all basic rules that fail2ban will follow. The main important part is ignore ip. You can add your own IP address there so in case if you forgot the password you wont be banned for trying some combinations no matter how many times you try. It means by adding your IP in the white list you can avoid accidentally ban yourself.

http://www.servermom.org/how-to-install-fail2ban-to-protect-server-from-brute-force-ssh-login-attempts-ubuntu/370/

Page 3 of 5

How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu) | ServerMom

4/12/14 1:56 PM

Also do not forget to set bantime which rules how many seconds a banned user will still been locked out. Default value is 600 seconds or 10 minutes. You can adjust that value as you wish but you better raise the value because most of brute force bots will simply move on to the next target once banned by the server. Below bantime line is maxretry. This line defines how the amount of incorrect login attempts that a single IP may have before it gets banned for the length of the ban time youve defined. Default value is 3! but you can lower that value to 2! or 1!. The lower is better but make sure you white-listed your IP already in the ignore ip line above. The next line is backend which you can simply leave its value as auto. Now move to another line, destemail. In this line you can define to which email address all alerts will be sent. Simply change root@localhost to your own personal email address. But you have to make sure that your server has a working mail server already to be able to send outgoing email. Read my previous tutorial about how to install Postfix on Ubuntu server. Step 6 Now move to the next section which is Action. Well, you can simply leave those lines as it is if you dont really sure. All default value should be adequate for fail2ban to work correctly. Now you have to move a little bit down below and find the [ssh] section.

You also dont have to change that section. Its default values indicating that SSH protection is currently enabled / ON. You can change enabled = true to false if you want to turn OFF the protection.

http://www.servermom.org/how-to-install-fail2ban-to-protect-server-from-brute-force-ssh-login-attempts-ubuntu/370/

Page 4 of 5

How To Install Fail2Ban To Protect Server From Brute Force SSH Login Attempts (Ubuntu) | ServerMom

4/12/14 1:56 PM

You can change the port = ssh line to the custom port number your SSH connection is designated. For instance, youve changed default SSH port from 22 to 2200, then change it to port = 2200! Once done editing, hit Control+O to save then Control+X to exit Nano editor screen. Step 7 Thats it. Now to make sure Fail2ban loads your newly defined config, simply do a restart. Issue this command:

Q: I rebooted the server, does it starts automatically? Yes, Fail2ban service will automatically start each time your server reboots. Thats it. Dont forget to follow me on Twitter. Do not hesitate to leave comment below. Also catch all my tutorials on how to manage unmanaged Ubuntu server. Enjoy!! Also check these articles:

http://www.servermom.org/how-to-install-fail2ban-to-protect-server-from-brute-force-ssh-login-attempts-ubuntu/370/

Page 5 of 5