If you manage an Ubuntu web server or a server with ports open to the internet, in addition to the default firewall, you should also install and configure Fail2ban as another layer of security to prevent brute-force attacks.
Fail2ban has been around for a long time, and it’s an open-source intrusion prevention application that anyone can use on Linux and BSD systems against brute-force attacks. When you install, configure, and enable the application, it monitors the failed login attempts in a given time and automatically bans the IP address to protect the server.
The application is easy to set up, and you can use this solution to protect various services, including SSH, HTTP, MySQL, and applications, such as WordPress (using the WP-Fail2ban extension).
Although you can use it on virtually any Linux-based system, you should only use it on a server with a basic firewall. If you already have another solution for firewall and brute-force protection, it wouldn’t be recommended to use Fail2ban since it may cause conflicts. If you use UFW, you should consider adding Fail2ban to the server.
This guide will teach you the basic steps to install and get started with the intrusion prevention application on your Ubuntu server.
Install Fail2ban on Ubuntu
To install Fail2ban on an Ubuntu server, use these steps:
-
Open Terminal on Ubuntu.
-
Type the following command to confirm whether fail2ban is already installed and press Enter:
fail2ban-regex -V
Quick note: If the command outputs a version number, the app is already installed. You can also check if the “fail2ban” directory exists in the “etc” directory. -
Type the following command to check that the local package index is up to date and press Enter:
sudo apt update
-
Type the following command to install Fail2ban on the Ubuntu server and press Enter:
sudo apt install fail2ban
-
Type “Y” and press Enter to continue.
-
Type the following command to check the app status and press Enter:
sudo systemctl status fail2ban
-
Type the following command to allow Fail2ban to start automatically on the startup of the server and press Enter:
sudo systemctl enable fail2ban
-
Type the following command to start the Fail2ban services and press Enter:
sudo systemctl start fail2ban
-
Type the following command to confirm the security app is running and press Enter:
sudo systemctl status fail2ban
-
Type the following command to check the jails that are currently running on the server and press Enter:
sudo fail2ban-client status
Once you complete the steps, the Fail2ban security app should be up and running on your Ubuntu server with the default configurations, which includes the “sshd” jail that protects the SSH connections to the server.
FAQ
Does Fail2ban use a configuration, and where is it located?
The intrusion prevention app works with the “jail.conf” configuration file in the /etc/fail2ban directory. If you plan to modify the default configuration, it’s recommended to make a copy of the “jail.conf” file using the sudo cp jail.conf jail.local command since modifying the “.conf” file can eventually be overwritten when the app receives an update.
Where are the Fail2ban jails located?
The working jails are available in the /etc/fail2ban/jail.d directory. Inside the folder, you’re likely to find the “default-debian.conf” file that enables the “sshd” jail by default.
How to reload the jails after making configuration changes?
If you make changes to the jail configuration, you can use the sudo fail2ban-client reload command to reload and activate the jails.
How to restart Fail2ban on Ubuntu?
To restart the Fail2ban services, use the sudo systemctl restart fail2ban command.
How to stop Fail2ban on Ubuntu?
To stop Fail2ban on the server, use the sudo systemctl stop fail2ban command.
How to view the jails running on Fail2ban?
To see the jails running on the server, use the sudo fail2ban-client status command. On the other hand, you can also use the fail2ban-client status sshd command to view the status of a specific jail (in this case, the “sshd” jail.)
How to unban an IP address blocked by Fail2ban?
To unban an IP address, use the fail2ban-client set wordpress-soft unbanip 10.1.4.159 command. In the command, change “wordpress-soft” to the name of the jail that banned the IP address and the “10.1.4.159” address for the IP you want to unban.
How to manually ban an IP address on Fai2ban?
If you have to ban an IP address manually, you can use the fail2ban-client set "wordpress-soft" banip 10.1.4.159 command. In the command, change “wordpress-soft” to the name of the jail to ban the IP address and the “10.1.4.159” address for the IP you want to ban.