If you have ever seen your log files, you know the attempts to break into your server seem to never stop. In order to drastically reduce the amount of brute force attacks and other malicious login activity, install Fail2Ban on your Debian / Ubuntu server.

Fail2Ban scans the configured log files and bans the IPs that show any malicious signs you specify with a filter. The ban is placed in your iptables firewall rule-set (or elsewhere) for a specified length of time, and then removed.

Installing Fail2Ban

apt-get update && apt-get upgrade
apt-get install fail2ban

Configuring Fail2Ban

Some configuration is required to setup fail2ban. By default, the only enabled jail is for port 22 (SSH) in the /etc/fail2ban/jail.conf file. Create a jail.local file in the same directory.

vi /etc/fail2ban/jail.local

All configuration settings should be added to this file, and will overwrite the default settings in the jail.conf file. Add the following to enable some of the preconfigured jails from fail2ban.

# Set the non-default options from /etc/fail2ban/jail.conf
# here for your fail2ban configuration.
[DEFAULT]
bantime  = 600
findtime = 600
destemail = youremail@example.com

# Set enabled = false to stop filtering failed ssh login attempts.
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

# Set enabled = true to filter smtp failed login attempts.
[sasl]
enabled  = false
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3

# Set enabled = true if apache is installed.
[apache]
enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 3

# Set enabled = true if apache is installed.
[apache-noscript]
enabled  = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 2

# Set enabled = true if apache is installed.
[apache-overflows]
enabled  = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

Starting Fail2Ban

To start the fail2ban service, use the start command.

service fail2ban start

Restarting Fail2Ban

To restart the fail2ban service, use the restart command.

service fail2ban restart

Stopping Fail2Ban

To stop the fail2ban service, use the stop command.

service fail2ban stop

Checking Fail2Ban Status

To check the status of the fail2ban service, use the status command.

service fail2ban status

Notable Resources

Fail2Ban Website – http://www.fail2ban.org/wiki/index.php/Main_Page
How to use fail2ban with other programs and setup some fiters – http://www.fail2ban.org/wiki/index.php/HOWTOs

Error Reporting & Article Improvements

Did you spot an error in this article? Do you know a better way to accomplish the task at hand? Please leave a comment below with what you want to share with everyone.