Penguin Crumbs

Notes and tips from a Linux user

home about this blog

Secure your server with fail2ban

Let’s say that you have a public Linux server on the internet and that it is technically possible for everyone to connect to it using ssh. In this scenario, it is probably appropriate to protect it from who tries to guess the password obsessively making an impressive number of repeated attempts.
(Yes, I know that you are thinking that if the ssh key is present on the client side, then typing in the password is no longer a problem; anyway I do not like this way of using ssh, since I don’t want to worry if I lose my smartphone or my notebook.)

Well, in brief fail2ban is an intrusion prevention software against brute-force attacks, written in the Python, that scans your logs and bans evil IPs using iptables. Here is a 5-minute installation and configuration guide for Ubuntu and derivative distros.


 apt install iptables  # maybe it's installed yet
 apt install fail2ban

The configuration directory is


Do not edit the file jail.conf; just create a new file named jail.local and put the follownig content in it:

 enabled = true
 port = ssh
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 3
 bantime = 900
 ignoreip =

And now restart the service using

 systemctl restart fail2ban

Now you can try to login with the wrong password and your ssh client IP will be blocked!!! You can monitor the status of the bans with some commands:

 systemctl status fail2ban # prints the service process status
 fail2ban-client status ssh # prints info about banned IPs
 iptables -L # alternative way to print info about banned IPs
 fail2ban-client set ssh unbanip # unbans one IP

Usually the log configured in fail2ban.conf is /var/log/fail2ban.log, so using grep you can view some info about how fail2ban has been working:

 grep Ban /var/log/fail2ban.log
 grep Unban /var/log/fail2ban.log

Update: after being heavily attacked by hackers, I reconfigured my server more agressively like this:

 bantime = 1 month
 findtime = 1 month
 maxretry = 2
 ignoreip =

 enabled = true
 port = ssh
 filter = sshd
 logpath = %(sshd_log)s

 enabled  = true
 port = ssh
 filter = sshd-ddos
 logpath = %(sshd_log)s
Posted on 2019-05-23  
⇦  back
Copyright © 2019-2024 Marcello Zaniboni