Bobcares

Fail2Ban on Ubuntu DigitalOcean Server | All About

by | Nov 3, 2024

In this latest blog, we’ll explain how to use Fail2Ban on a DigitalOcean Ubuntu Server. As part of our DigitalOcean Managed Service, Bobcares provides answers to all of your questions.

Overview
  1. Using Fail2Ban on a DigitalOcean Ubuntu Server
  2. Setting up Fail2Ban on Ubuntu (DigitalOcean)
  3. Customizing Fail2Ban for Optimal Security
  4. Monitoring and Managing Banned IPs
  5. Conclusion

Using Fail2Ban on a DigitalOcean Ubuntu Server

Fail2Ban is a vital security tool for Ubuntu servers, especially those hosted on DigitalOcean. It actively monitors log files for signs of brute-force attacks, unauthorized SSH logins, and other suspicious activities. Upon detecting repeated failed login attempts from a single IP, Fail2Ban automatically bans that IP for a specified duration, adding an essential layer of automated defense.

fail2ban ubuntu digitalocean

Why We Must Use Fail2Ban on a DigitalOcean Ubuntu Server?

1. Brute-Force Protection: Internet-exposed Ubuntu servers are prime targets for brute-force attacks, particularly on SSH. Fail2Ban offers a powerful solution by banning any IP that attempts to gain unauthorized access, enhancing your server’s protection against such attacks.

2. Automated Response: Manually monitoring log files and blocking suspicious IPs would be incredibly time-consuming and prone to error. With Fail2Ban, we can automate the process of IP banning, allowing for efficient, consistent defense without continuous manual input.

3. Reduces Server Load: By banning malicious IPs early on, Fail2Ban prevents resource-heavy attacks from affecting your server. This proactive defense lowers server load, ensuring resources are preserved for legitimate users.

How Fail2Ban Works?

Fail2Ban’s functionality centers around a series of well-defined steps:

1. Log Monitoring: Fail2Ban scans log files for failed login attempts or other risky activity.

2. Pattern Matching: It matches these activities to rules specified in “jails.”

3. IP Banning: When failed attempts exceed a set threshold, Fail2Ban automatically bans the IP, typically using iptables.

Setting Up Fail2Ban on Ubuntu (DigitalOcean)

Here’s a straightforward guide to setting up and configuring Fail2Ban on an Ubuntu server hosted on DigitalOcean:

Step 1: Install Fail2Ban

First, we must install Fail2Ban using the apt package manager. Connect to your Ubuntu server via SSH and run:

bash

sudo apt update
sudo apt install fail2ban

Step 2: Configure Fail2Ban

Fail2Ban’s primary configuration file is stored in /etc/fail2ban/jail.conf, but we should make customizations in a separate file to avoid losing changes during updates. To create a custom configuration file, run:

bash

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then, open and edit the jail.local file:

bash

sudo nano /etc/fail2ban/jail.local

Step 3: Configure SSH Protection

In the jail.local file, locate the [sshd] jail and modify settings as needed:

ini

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
findtime = 600
Here,

enabled: Enables SSH protection.
maxretry: Specifies the number of failed attempts allowed before banning.
bantime: Sets the ban duration in seconds (600 seconds = 10 minutes).
findtime: Defines the time window (in seconds) during which Fail2Ban checks for failed attempts.

Step 4: Enable Additional Jails (Optional)

Fail2Ban can secure other services, like Apache, Nginx, or FTP. To enable protection for these services, activate specific jails in the jail.local file.

Step 5: Restart and Enable Fail2Ban

After configuring, we must restart Fail2Ban for the changes to take effect:

bash

sudo systemctl restart fail2ban

Enable Fail2Ban to start at boot:

bash

sudo systemctl enable fail2ban

Step 6: Check Status

To verify Fail2Ban’s status and confirm the active jails, use:

bash

sudo fail2ban-client status

To view details of a specific jail (like SSH):

bash

sudo fail2ban-client status sshd

This command will display the number of currently banned IPs and other useful data.

Customizing Fail2Ban for Optimal Security

We should fine-tune Fail2Ban settings for maximum effectiveness. Here are some customization options:

1. Bantime and Findtime

Bantime: Controls the ban duration for an IP. The default is 600 seconds, but for stricter security, we may increase it.

Findtime: Defines the time window Fail2Ban uses to track failed attempts. For example, with findtime set to 600 seconds and maxretry at 5, any IP with 5 failed attempts within 10 minutes is banned.

2. Permanent Ban

For persistent security, we can enforce a permanent ban on IPs by setting bantime to -1:

ini

bantime = -1

3. Whitelisting Trusted IPs

To prevent trusted IPs from being banned, we must whitelist them. In the [DEFAULT] section of jail.local, add:

ini

ignoreip = 127.0.0.1/8 192.168.1.100

Replace 192.168.1.100 with the IP you want to trust.

Monitoring and Managing Banned IPs

Fail2Ban makes it easy to view and manage banned IPs.

1. Unbanning an IP: If a legitimate IP is mistakenly banned, we can unban it with:

bash

sudo fail2ban-client set sshd unbanip

2. Viewing Banned IPs: To list all currently banned IPs for SSH, run:

bash

sudo fail2ban-client status sshd

[Searching solution for a different question? We’re happy to help.]

Conclusion

Fail2Ban provides an invaluable layer of automated defense for Ubuntu servers, particularly on DigitalOcean. By actively monitoring logs, matching activity patterns, and enforcing bans on malicious IPs, it strengthens our server’s security against unauthorized access and reduces server load from unwanted traffic. With simple setup steps and customizable options, Fail2Ban should be an essential part of any server’s security toolkit. We must take these preventive measures to safeguard our server and ensure stable, secure server performance.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.