Ban Malicious IP Addresses (Fail2ban)

There is a fantastic tool that ships with most distros today called Fail2ban that basically scans your system logs (access logs, app logs, etc.) and looks for malicious behavior and temporarily or permanently bans the IP address/addresses/range attempting the nasty behavior.

A very common use of Fail2ban is looking for failed login attempts against your SSH server and banning IP addresses once the attempts have passed a threshold.

I found an excellent tutorial that walks through the process in detail, but for the purposes of this guide we are staying focused on securing SSH – good news, the default settings for Fail2ban ship out of the box doing just that!

Installing Fail2ban

This is the easy part; first let’s ask Apt to install it:

sudo apt install fail2ban

Now we need to make sure the service is configured to run on boot and started… wait, the Apt package did all that for us!

We can even confirm it with a simple command:

$ sudo systemctl status fail2ban

fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-02-23 03:02:31 UTC; 46s ago
       Docs: man:fail2ban(1)
   Main PID: 1335 (f2b/server)
      Tasks: 5 (limit: 76967)
     Memory: 15.1M
     CGroup: /system.slice/fail2ban.service
             └─1335 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Feb 23 03:02:31 e3-2276 systemd[1]: Starting Fail2Ban Service...
Feb 23 03:02:31 e3-2276 systemd[1]: Started Fail2Ban Service.
Feb 23 03:02:31 e3-2276 fail2ban-server[1335]: Server ready

Well hell, that was easy!

Configuring Fail2ban

The good news is: the default settings for Fail2ban are pretty good and do just what we need.

If you’d like to dig into them a bit, head on over to the following directory:

/etc/fail2ban/

You can dig through the .conf files to get an idea how of Fail2ban is configured – the meat and potatoes are in the jail.conf file.

The top half of the file are general directives and then each section encapsulated in brackets ([foo]) represent the application-specific configuration.

Tip: If you want to change any of the settings, copy the jail.conf file to jail.local, removing all the lines of config you DON’T want to change and just leave in the ones you have modified settings for.

Fail2ban on load will load everything in .conf first then override it with the settings in .local

As mentioned, we are pretty happy with the default settings for the purposes of hardening a stock server so we don’t need to do anything except breath a little bit easier at night.

On to the next tip!