Dimas Maulana
Dimas Maulana

How to Protect SSH With Fail2Ban on Ubuntu 12.04

Dimas Maulana Development
 

Servers are not immune to security threats, especially when it comes to SSH (Secure Shell) access. Brute force attacks can compromise your server’s security. Fail2Ban is a tool that automatically defends your virtual private server (VPS) by monitoring log files and responding to malicious behavior. In this guide, we’ll walk you through setting up Fail2Ban on Ubuntu 12.04 to protect your SSH access.

Step 1: Install Fail2Ban

First, you need to install Fail2Ban using apt-get:

1
2

```bash
sudo apt-get install fail2ban

Step 2: Copy the Configuration File

The default Fail2Ban configuration file is located at /etc/fail2ban/jail.conf, but you should not make changes directly to this file. Instead, create a local copy:

1

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

You will configure Fail2Ban in the jail.local file.

Step 3: Configure Defaults in jail.local

Open the jail.local configuration file:

1

sudo nano /etc/fail2ban/jail.local

In this file, you can customize the default settings. Here’s an example of the [DEFAULT] section:

1
2
3
4
5
6
7

```ini
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3
backend = auto
destemail = root@localhost
  • ignoreip: Add your IP address to this line to whitelist it, ensuring you don’t accidentally ban yourself.
  • bantime: Set the ban duration in seconds (default is 10 minutes).
  • maxretry: Specify the number of incorrect login attempts before an IP is banned.
  • backend: Leave as ‘auto’.
  • destemail: Set the email address to receive alerts if Fail2Ban bans an IP.

You can adjust these values to suit your preferences.

Additional Details - Actions

Below the defaults, you’ll find the Actions section. Here’s a snippet:

1
2
3
4
5

```ini
# ACTIONS
banaction = iptables-multiport
mta = sendmail
protocol = tcp
  • banaction: Describes the steps Fail2Ban takes to ban an IP. The default is iptables-multiport.
  • mta: Specifies the email program Fail2Ban uses for alerts (default is sendmail).
  • protocol: You can change this to udp if you want Fail2Ban to monitor UDP instead of TCP.

Step 4 (Optional): Configure the SSH Section in jail.local

The SSH section is further down in the jail.local file and is enabled by default. Here’s an example:

1
2
3
4
5
6
7

```ini
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
  • enabled: Set to true to enable SSH protection. Change to false to disable it.
  • port: Specify the SSH port (default is ssh). Change it if you use a non-standard port.
  • filter: Refers to the rules used to find matches (default is sshd).
  • logpath: Set the log location Fail2Ban should monitor.
  • maxretry: Define the maximum allowed login attempts before banning an IP.

Step 5: Restart Fail2Ban

After making changes, restart Fail2Ban to apply the configuration:

1

sudo service fail2ban restart

You can view the active Fail2Ban rules in the IP table:

1

sudo iptables -L

By following these steps, you’ve enhanced the security of your Ubuntu 12.04 server by protecting SSH access with Fail2Ban. This helps safeguard your server against brute force attacks and malicious behavior.

Updated on 18-04-2015 
Back | Home
0%