Fail2Ban prevents linux server from brute force ssh attacks. It bans the IP Address from where multiple failed login attemps are made withing short duration of time.
fail2ban reads /var/log/auth.log
file to gether all the IP Addresses which have made
failed login attemps to the server. Based on this data fail2ban creates a ban list.
$ sudo apt udapte
$ sudo apt install fail2ban
Check status of fail2ban
$ sudo systemctl status fail2ban
Fail2ban comes with some configuration files, which we will not edit directly as they might get overwritten when the package is updated.
Hence, we create a copy of config files:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local
ipignore = 192.168.43.1 // These IPs are ignored from banlist
bantime = 1d // Defines for how long an IP Address should be banned
findtime = 10m // Defines the duration between failed login attempts before ban is set
maxretry = 5 // Defines max failed attemps in findtime duration before ban is set
Fail2ban reads the configuration files in the following order. Each .local
file overrides the
settings from the .conf
file:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/*.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/*.local
$ sudo systemctl restart fail2ban