Install Fail2Ban On Ubuntu Server 13.04/13.10

 

Fail2Ban

Introduction

Fail2Ban is an intrusion prevention framework written in the Python programming language. Fail2Ban could reduce a successful dictionary attack. Because we limit the number of tries to access to the specific service that we want to enable. In this example we are going to show with sshd service only. The standard configuration ships with filters for sshd, Apache, Lighttpd, vsftpd, qmail, Postfix and Courier Mail Server.

Installation On Ubuntu and derivatives

Log-in as root user and enter the following command to install Fail2ban.

apt-get install fail2ban

Configurations

Copy a config file in /etc/fail2ban/ of file “jail.conf” to “jail.local”

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit file jail.local

vi /etc/fail2ban/jail.local

With content,

 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = 127.0.0.1/8
 bantime = 3600
 maxretry = 3

Email Notifications

Find the line that says destmail and add your email address.

destemail = ken.vannakk@gmail.com

Chose default actions

Find line,

action = %(action_)s

And change it to:

action = %(action_mw)s

Email Actions, In this case we use sendmail.

 # email action. Since 0.8.1 upstream fail2ban uses sendmail
 # MTA for the mailing. Change mta configuration parameter to mail
 # if you want to revert to conventional 'mail'.
 mta = sendmail

Enable SSH with fail2ban

Find the ssh section in the same file, and adjust to your need:

[ssh]
 enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Once done, Restart fail2ban to apply these settings.

service fail2ban restart

Let’s try to access via SSH to this server with the incorrect information for 3 times. We will get one email and can not ssh to that server for 1 hour with the user we tried.