installing Fail2Ban

After going through a digital mountain of server logs on one of my servers, I’ve noticed that people are routinely trying to brute force their way via SSH to login as root. Even though root has been locked out, this is just noise in my logs that I’d rather not have to sift through. Fail2ban will automatically block access from an IP after a set number of failed attempts for a period of time (default of 10 minutes or 600 seconds).

To install it on a Debian/Ubuntu box run

apt-get install fail2ban

Instead of using the config file that comes with the package, we’ll use a local copy of it you can do that by running

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

To prevent locking yourself out, you can add your own IP address in the ignoreip line. It should look something like this

Ignoreip = 127.0.0.1/8 1.2.3.4

Where 1.2.3.4 is your IP address. If you have a dynamic IP, you can use a CIDR mask.

Save and exit

By default, it already has a service that looks at SSH and HTTP amongst other things. As long as it covers SSH that’s fine with me. The fact that it’ll look at HTTP and other services is a bonus.

Restart the service by running

/etc/init.d/fail2ban restart or service fail2ban restart

<– Back to Step 2  |  Onwards to Step 4 –>