How to protect ubuntu server from brute force attack using “fail2ban”

How to protect ubuntu server from brute force attack using “fail2ban” post thumbnail image

Fail2ban is an open-source tool to prevent servers from brute force attacks. This tool will scan server log files and if found any suspicious attempts then it will block the particular IP for a specific time.

Fail2ban also works to prevent dos or DDoS attacks, malicious traffic attacks on websites etc. Depending on the configuration of jails it will block the specific IP addresses through a firewall or iptables. You can also configure for mail notification when any IP is blocked by fail2ban it will send you notifications. You can also ignore(whitelist) any specific IP(s) or blacklist manually.

Let’s see how to configure fail2ban in CentOS.

Step 1: Login to your server and install fail2ban using yum.

# apt update
# apt install fail2ban

Step 2: Start and enable the service.

# systemctl start fail2ban
# systemctl enable fail2ban

Step 3: Copy the default configuration file to create a new jail local config file.

# cd /etc/fail2ban/
# cp jail.conf jail.local
# nano jail.local

Step 4: Configure jail file to prevent brute force attacks.

# nano jail.local

port = ssh
logpath = %(sshd_log)s
banaction = iptables-multiport
maxretry = 3
findtime = 300
bantime = 600
enabled = true
filter = sshd

Save the file and restart the service.

# systemctl restart fail2ban

In the above jail.local configuration, we set up like if anyone tried and failed remote ssh login more than 3 times in 300 seconds then their IP should block for next 600 seconds. It means fail2ban will block that source IP in our server iptables. So they cannot try the fourth attempt through ssh from the same IP.

You can also add “ignoreip” line to whitelist any IP(s).

Step 5: Check fail2ban client status using below command.

root@fail2ban]# fail2ban-client status
|- Number of jail: 2
`- Jail list: SSH

You can also check the particular service ban configuration details by using this command.

[root@fail2ban]# fail2ban-client status SSH
Status for the jail: SSH
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/secure – Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

If any IPs are banned then those IPs will show here in the above command output “Banned IP list:”

You can also ban/unban known blacklisted IP(s) manually using the below command.

# fail2ban-client set SSH banip <IPAddress>
# fail2ban-client set SSH unbanip <IPAddress>

When IP blocked by fail2ban in iptables, it will show like this.

Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all — <blocked IP> reject-with icmp-port-unreachable
RETURN all —

Note: Once set up everything, test the configuration weather fail2ban is working properly or not. Try to log in from another to your current server with the wrong passwords/users and after three attempts fail2ban should your attempts.

That’s it. In this way, you can secure your Linux server from brute force.

9 thoughts on “How to protect ubuntu server from brute force attack using “fail2ban””

  1. Hi there. I found your website by way of Google even as looking for a similar topic, your website got here up. It seems good. I have bookmarked it in my google bookmarks to visit then. Melita Wolfgang Boylston

  2. Good day! I know this is kinda off topic but I
    was wondering if you knew where I could get a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having trouble finding one?
    Thanks a lot!

    Also visit my blog post … delta 8 gummies

  3. Howdy! This is my first comment here so I just wanted to give a quick
    shout out and say I genuinely enjoy reading through your
    blog posts. Can you recommend any other blogs/websites/forums that
    deal with the same subjects? Thanks for your time!

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post