How to Protect SSH with Fail2ban on Ubuntu 12.04


Fail2ban is an intrusion prevention framework that protects servers from single source brute force attacks. Fail2ban monitors the log files and is able to reduce the rate of invalid authentication attempts to the server. It is based on python programming language and has the ability to perform multiple actions whenever an alarming IP is detected.

In this tutorial, we will be showing you how to protect SSH with Fail2ban.


Install Fail2ban

To begin with, install fail2ban using the apt-get command.

sudo apt-get install fail2ban


Fail2ban Configuration Set Up

Fail2ban configuration set up will include two steps:

    1. Copying of the file
    2. The configuration file changes


By default, the fail2ban configuration file will be located at /etc/fail2ban/jail.conf. We will be making a local copy of this configuration file to incorporate necessary changes. This is the usual procedure followed.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Once the file is copied, you can start making the configuration changes to the jail.local file. Most of the services that require protection will already be there in the file. Each of them will be configured and turned off.


Configuration File Changes

To begin with the configuration changes, open up the newly created file jail.local:

sudo nano /etc/fail2ban/jail.local

For simplicity, we will be making the configuration file changes step by step:

  • Default section
  • Action section
  • SSH section

Let’s start with the Default section.

The beginning of the file will have the default rules for fail2ban. You are free to customize the details of each section in order to protect your virtual server.

Default section:

[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 600
maxretry = 3 
# "backend" specifies the backend used to get files modification. 
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for nowbackend = auto 
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = [email protected]

We will be discussing the necessary updates one by one. First of all, update the IP address to the ‘ignoreip’ field.  IgnoreIp is responsible for white listing the IP addresses and making sure that they are not locked out. You can give more IP addresses by providing a space between them.

Bantime is the number of seconds that a host will be blocked from VPS in case of any violation or fraudulence. You need to set it to a value of your choice. By default, it will be set for 10 minutes. You may wish to higher or lower according to your choice. Bantime is very helpful in redirecting the bots. Once banned, it will move on to its next target.

Next comes maxrety. It is the number of invalid login attempts of a host before they get banned for a bantime.

Destemail is the alert email that will be sent. In case if you have a mail server set up on your droplet, fail2ban will send you an email whenever it bans an IP address.

Once you are done with the default section, we can move on to the Actions section. It will be right below the defaults.


Actions section:

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport 
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail 

# Default protocol
protocol = tcp

Banaction refers to the actions taken by fail2ban to ban a matching IP address. It is actually a small version of the config file extension. Default banaction is iptables-multiport which is located at /etc/fail2ban/action.d/iptables-multiport.conf.

MTA is the email program that fail2ban uses to send emails to alert malicious IP.

Protocol can be TCP or UDP, according to your decision on which you would like fail2ban to monitor.


Configure the ssh-iptables Section in Jail.Local

This step is completely optional. You can find the SSH section a little down after the earlier discussed sections. It will be already set up and you need not make any changes to it.

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

The field enabled is set to true, which means that the SSH protection is on. If it is set to false, then it will be turned off.

The port describes the port number that fail2ban is monitoring. You can match the port number to any non-standard port where your virtual private server has been set up.

The filter field is by default set to ‘sshdd’. It describes the config file with the fail2ban rules in finding matches, /etc/fail2ban/filter.d/sshd.conf.

The log path is the location of the log which fail2ban tracks.

Maxretry in this section as well refers to the same one we found in default section. If you have multiple services and would like to have specific values for each one of them, you will be able to set the new maxretry values for SSH.

Now, you are done with the configuration changes.

Restart Fail2ban

You will now need to restart the fail2ban in order to bring in all your configuration changes.

sudo service fail2ban restart

Verify the fail2ban rules in effect from IP table.

sudo iptables -L

support2 has written 111 articles

Leave a Reply