Fail2ban is an intrustion prevention system, written in Python and developped over 10 years by Cyril Jaquier, Arturo Busleiman and many other contributors.

On linux systems, this program runs as a background service which actively parses a definable range of systems logs. Suspicious or repeated failed authentication requests are identified by means of application-specific regular expression (REGEX) filters. A filter’s action generally results in the automatic generation of IP address blocks. The length of time can be set according to a bundled algorithm or manually.

Fail2ban is an active project whose files may be found in a few locations

If you are interested in learning Python, see this related post

Installation on Debian systems (eg. Ubuntu)

Debian distributions should include fail2ban in their main repositories however, this is generally not the latest version.

For the purpose of this short guide, the 0.11.x development branch will be used.

Dependencies

The principal requirements are Python3, pip package manager for Python3 and a few non-default python packages.

sudo apt-get install git python3 python3-pip

To set up the required additional packages run the following

pip3 install setuptools

If you receive any locale-based errors on a Debian system, you can fix your language settings rather quickly. Uncomment your desired locale (language set), followed by a regeneration of associated files.

sudo nano /etc/locale.gen
sudo locale-gen

Pulling the latest build from GitHub

Once you’ve navigated into a new folder made for this purpose, pulling the latest build from GitHub is done as follows.

git clone https://github.com/fail2ban/fail2ban.git

Compiling necessary components

Enter the newly created fail2ban directory and begin the first step of the installation. This passes the --install flag to the included python setup script.

cd fail2ban
sudo python3 setup.py install

Installing fail2ban on your system

A default configuration is now included at /etc/fail2ban/jail.conf however this will be overwritten during any upgrade. It will be duplicated and renamed to persist during any future upgrades.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

In order to enable the daemon to automatically start during a system reboot a series of pre-bundled start-up scripts are included in the files subfolder of the original GitHub folder that was pulled. Note that these are environment-specific.

For Debian-based systems (like Ubuntu), the appropriate file is called debian-initd and must be renamed/copied in the init.d system folder. Once copied, updaterc is called to process the change.

sudo cp files/debian-initd /etc/init.d/fail2ban
sudo update-rc.d fail2ban defaults
sudo service fail2ban start

Fail2ban activity should now be available at this location: /var/log/fail2ban.log

Configuration

In order for fail2ban to actually write IP block rules, it needs to know where to look and for what. This is a modular system where each application has its own filter and action rule set.

Jails are application specific configurations which apply jail-specific REGEX filtering rules.

A base-line jail that should be enabled is [sshd] (SSH daemon service). It parses the server’s auth.log for abusive, failed and potentially malicious ssh login attempts.

All jails are outlined in our global configuration file. However each requires an enabled = true flag to function.

sudo nano /etc/fail2ban/jail.local
  • SSHD Jail
[sshd]
enabled = true
mode   = aggressive
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

The logpath can be modified to any non-standard location if desired. Depending on the fail2ban version installed, these fields can vary in their default options. Consider verifying your version-specific documentation.

To manually update or modify the REGEX filters used by each jail, edit the respective filter file located at /etc/fail2ban/filter.d/[---JAILNAME---].conf

Additional application-specific jails

  • Apache
    • Auth
    • Noscript
    • Buffer-overflow