fail2ban, your Linux computer automatically blocks IP addresses that have too many connection failures. It’s self-regulatory security! We will show you how to use it.
Security Security Security
To do this, you will need to monitor connection requests that do not enter an account. If they fail to authenticate repeatedly in a short period of time, they should be prohibited from making further attempts.
The only way this can be practically achieved is to automate the entire process. With a little simple setup,
fail2ban will manage the monitor, ban and override the ban for you.
fail2ban integrates with Linux firewall
iptables. Enforce bans on suspicious IP addresses by adding rules to the firewall. To keep this explanation tidy, we are using
iptables with an empty rule set.
Of course, if you are concerned about security, you probably have a firewall configured with a well-populated set of rules.
fail2ban only add and remove your own rules—Your normal firewall functions will remain intact.
We can see our empty rule set using this command:
sudo iptables -L
RELATED: The beginner’s guide to iptables, the Linux firewall
fail2ban it is simple in all the distributions we use to research this article. In Ubuntu 20.04, the command is as follows:
sudo apt-get install fail2ban
On Fedora 32, type:
sudo dnf install fail2ban
In Manjaro 20.0.1, we use
sudo pacman -Sy fail2ban
fail2ban The installation contains a default configuration file called jail.conf. This file is overwritten when
fail2ban it is updated, so we will lose the changes if we customize this file.
Instead, we’ll copy the jail.conf file to one called jail.local. By putting our configuration changes in jail.local, they will persist through updates. Both files are automatically read by
This is how the file is copied:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now open the file in your favorite editor. We will use
sudo gedit /etc/fail2ban/jail.local
We will look for two sections in the file: [DEFAULT] Y [sshd]. However, be careful to find the actual sections. Those tags also appear near the top in a section that describes them, but that’s not what we want.
You will find the [DEFAULT] section somewhere around line 40. It’s a long section with lots of comments and explanations.
Scroll down to line 90 and you will find the following four settings you need to know about:
- ignoreip: A whitelist of IP addresses that will never be banned. They have a permanent card to get out of jail for free. The localhost IP address (
127.0.0.1) is listed by default, along with its IPv6 equivalent (
::1). If there are other IP addresses that you know should never be banned, add them to this list and leave a space between each one.
- bantime: The duration for which an IP address is banned (the “m” stands for minutes). If you enter a value without an “m” or “h” (for hours), it will be treated as seconds. A value of -1 will permanently ban an IP address. Be very careful not to get permanently blocked.
- search time: The amount of time within which too many failed connection attempts will result in an IP address being banned.
- maxretry: The value of “too many failed attempts”.
If a connection is made from the same IP address
maxretry failed connection attempts within the
findtime period, are prohibited for the duration of the
bantime. The only exceptions are the IP addresses in the
fail2ban puts IP addresses in jail for a specified period of time.
fail2ban supports many different jails, each representing that the settings apply to only one type of connection. This allows you to have different settings for various types of connection. Or you can have
fail2ban monitor only a chosen set of connection types.
You may have guessed it from the [DEFAULT] section name, but the settings we have seen are the default ones. Now, let’s look at the SSH jail configuration.
RELATED: How to graphically edit text files in Linux with gedit
Set up a jail
Prisons allow you to move connection types in and out of
fail2ban's supervision. If the default settings do not match what you want the jail to apply, you can set specific values for
Scroll down to line 280 and you will see the [sshd] section.
This is where you can set values for the SSH connection cage. To include this jail in the monitoring and prohibition, we have to write the following line:
enabled = true
We also write this line:
maxretry = 3
The default setting was five, but we want to be more cautious with SSH connections. We lower it to three, and then we save and close the file.
We add this jail to
fail2ban's monitoring and overridden one of the default settings. A jail can use a combination of jail-specific and default settings.
So far we have installed
fail2ban and I set it up. Now, we have to enable it to run as an autostart service. Then we need to test it to make sure it works as expected.
fail2ban as a service, we use the
sudo systemctl enable fail2ban
We also use it to start the service:
sudo systemctl start fail2ban
We can check the status of the service using
sudo systemctl status fail2ban.service
Everything looks good, we have a green light, so everything is fine.
Let’s see if
fail2ban do you agree:
sudo fail2ban-client status
This reflects what we set up. We have enabled a single jail, called [sshd]. If we include the jail name with our command above, we can take a deeper look at it:
sudo fail2ban-client status sshd
This lists the number of faults and banned IP addresses. Of course, all stats are zero at the moment.
Testing our jail
On another computer, we will make an SSH connection request to our test machine and misspelt the password on purpose. You get three attempts to get the correct password on each connection attempt.
maxretry The value will be activated after three failed login attempts, not three failed password attempts. Therefore, we have to type an incorrect password three times to fail the connection attempt.
Then we will make another connection attempt and enter the password incorrectly three more times. The first bad password attempt of the third connection request should be triggered
After the first wrong password on the third connection request, we don’t get a response from the remote machine. We get no explanation; we just have a cold shoulder.
You must press Ctrl + C to return to the command prompt. If we try one more time, we will get a different response:
Previously, the error message was “Permission Denied”. This time, the connection is completely rejected. We are persona non grata. They have banned us.
Let’s see the details of the [sshd] jail again:
sudo fail2ban-client status sshd
There were three failures and one IP address (192.168.4.25) was banned.
As we mentioned earlier,
fail2ban enforce prohibitions by adding rules to the firewall rule set. Let’s take another look at the ruleset (it was empty before):
sudo iptables -L
A rule has been added to the INPUT policy, which sends SSH traffic to the
f2b-sshd chain. The rule in the
f2b-sshd The chain rejects SSH connections from 192.168.4.25. We do not modify the default settings for
bantimeTherefore, in 10 minutes, that IP address will be canceled and you will be able to make new connection requests.
If you set a longer ban duration (such as several hours), but want to allow an IP address to make another connection request sooner, you can release it sooner.
We write the following to do this:
sudo fail2ban-client set sshd unbanip 192.168.5.25
On our remote computer, if we make another SSH connection request and enter the correct password, we will be able to connect:
Simple and effective
The simplest is usually better and
fail2ban it is an elegant solution to a complicated problem. It requires very little configuration and hardly imposes an operational overhead, neither for you nor for your computer.