Bobcares

Fail2Ban on Ubuntu DigitalOcean Server | All About

by | Nov 3, 2024

In this latest blog, we’ll explain how to use Fail2Ban on a DigitalOcean Ubuntu Server. As part of our DigitalOcean Managed Service, Bobcares provides answers to all of your questions.

Overview
  1. Using Fail2Ban on a DigitalOcean Ubuntu Server
  2. Setting up Fail2Ban on Ubuntu (DigitalOcean)
  3. Customizing Fail2Ban for Optimal Security
  4. Monitoring and Managing Banned IPs
  5. Conclusion

Using Fail2Ban on a DigitalOcean Ubuntu Server

Fail2Ban is a vital security tool for Ubuntu servers, especially those hosted on DigitalOcean. It actively monitors log files for signs of brute-force attacks, unauthorized SSH logins, and other suspicious activities. Upon detecting repeated failed login attempts from a single IP, Fail2Ban automatically bans that IP for a specified duration, adding an essential layer of automated defense.

fail2ban ubuntu digitalocean

Why We Must Use Fail2Ban on a DigitalOcean Ubuntu Server?

1. Brute-Force Protection: Internet-exposed Ubuntu servers are prime targets for brute-force attacks, particularly on SSH. Fail2Ban offers a powerful solution by banning any IP that attempts to gain unauthorized access, enhancing your server’s protection against such attacks.

2. Automated Response: Manually monitoring log files and blocking suspicious IPs would be incredibly time-consuming and prone to error. With Fail2Ban, we can automate the process of IP banning, allowing for efficient, consistent defense without continuous manual input.

3. Reduces Server Load: By banning malicious IPs early on, Fail2Ban prevents resource-heavy attacks from affecting your server. This proactive defense lowers server load, ensuring resources are preserved for legitimate users.

How Fail2Ban Works?

Fail2Ban’s functionality centers around a series of well-defined steps:

1. Log Monitoring: Fail2Ban scans log files for failed login attempts or other risky activity.

2. Pattern Matching: It matches these activities to rules specified in “jails.”

3. IP Banning: When failed attempts exceed a set threshold, Fail2Ban automatically bans the IP, typically using iptables.

Setting Up Fail2Ban on Ubuntu (DigitalOcean)

Here’s a straightforward guide to setting up and configuring Fail2Ban on an Ubuntu server hosted on DigitalOcean:

Step 1: Install Fail2Ban

First, we must install Fail2Ban using the apt package manager. Connect to your Ubuntu server via SSH and run:

bash

sudo apt update
sudo apt install fail2ban

Step 2: Configure Fail2Ban

Fail2Ban’s primary configuration file is stored in /etc/fail2ban/jail.conf, but we should make customizations in a separate file to avoid losing changes during updates. To create a custom configuration file, run:

bash

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then, open and edit the jail.local file:

bash

sudo nano /etc/fail2ban/jail.local

Step 3: Configure SSH Protection

In the jail.local file, locate the [sshd] jail and modify settings as needed:

ini

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
findtime = 600
Here,

enabled: Enables SSH protection.
maxretry: Specifies the number of failed attempts allowed before banning.
bantime: Sets the ban duration in seconds (600 seconds = 10 minutes).
findtime: Defines the time window (in seconds) during which Fail2Ban checks for failed attempts.

Step 4: Enable Additional Jails (Optional)

Fail2Ban can secure other services, like Apache, Nginx, or FTP. To enable protection for these services, activate specific jails in the jail.local file.

Step 5: Restart and Enable Fail2Ban

After configuring, we must restart Fail2Ban for the changes to take effect:

bash

sudo systemctl restart fail2ban

Enable Fail2Ban to start at boot:

bash

sudo systemctl enable fail2ban

Step 6: Check Status

To verify Fail2Ban’s status and confirm the active jails, use:

bash

sudo fail2ban-client status

To view details of a specific jail (like SSH):

bash

sudo fail2ban-client status sshd

This command will display the number of currently banned IPs and other useful data.

Customizing Fail2Ban for Optimal Security

We should fine-tune Fail2Ban settings for maximum effectiveness. Here are some customization options:

1. Bantime and Findtime

Bantime: Controls the ban duration for an IP. The default is 600 seconds, but for stricter security, we may increase it.

Findtime: Defines the time window Fail2Ban uses to track failed attempts. For example, with findtime set to 600 seconds and maxretry at 5, any IP with 5 failed attempts within 10 minutes is banned.

2. Permanent Ban

For persistent security, we can enforce a permanent ban on IPs by setting bantime to -1:

ini

bantime = -1

3. Whitelisting Trusted IPs

To prevent trusted IPs from being banned, we must whitelist them. In the [DEFAULT] section of jail.local, add:

ini

ignoreip = 127.0.0.1/8 192.168.1.100

Replace 192.168.1.100 with the IP you want to trust.

Monitoring and Managing Banned IPs

Fail2Ban makes it easy to view and manage banned IPs.

1. Unbanning an IP: If a legitimate IP is mistakenly banned, we can unban it with:

bash

sudo fail2ban-client set sshd unbanip

2. Viewing Banned IPs: To list all currently banned IPs for SSH, run:

bash

sudo fail2ban-client status sshd

[Searching solution for a different question? We’re happy to help.]

Conclusion

Fail2Ban provides an invaluable layer of automated defense for Ubuntu servers, particularly on DigitalOcean. By actively monitoring logs, matching activity patterns, and enforcing bans on malicious IPs, it strengthens our server’s security against unauthorized access and reduces server load from unwanted traffic. With simple setup steps and customizable options, Fail2Ban should be an essential part of any server’s security toolkit. We must take these preventive measures to safeguard our server and ensure stable, secure server performance.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF