In this tutorial, we will explain how to install Fail2ban on an Ubuntu 14.04 VPS. Fail2Ban is a Python application that monitors log files to detect potential intrusion attempts. Fail2ban scans the log files looking for specific patterns that indicate an attack. It uses iptables to block IPs that show the malicious signs such as brute-force attempts on SSH, HTTP, FTP, SMTP ..etc. This guide should work on other Linux VPS systems as well but was tested and written for Ubuntu 14.04 VPS.
As always, first login to your VPS via SSH:
# ssh user@hostname
Installing Fail2ban is very simple just run:
user@hostname ~$ sudo apt-get update user@hostname ~$ sudo apt-get install fail2ban
If you want Fail2ban to send mail notifications, you’ll need some kind of SMTP server such as Posfix, Exim or Sendmail. For example, you can install Posfix with the following command:
user@hostname ~$ sudo apt-get install postfix
The best practice is to duplicate the default Fail2ban configuration file and to work on a local copy, which keeps your changes safe from updates. To create a local copy (jail.local) just run:
user@hostname ~$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you should make all your changes and additions to the jail.local file.
Open up the jail.local file in your text editor of choice and let’s make some changes.
user@hostname ~$ sudo vim /etc/fail2ban/jail.local
The [DEFAULT] section:
- ignoreip:, by default only 127.0.0.1 is whitelisted, you should also add your VPS and Local IP addresses into the ignoreip line.example:
ignoreip = 127.0.0.0 18.104.22.168/24 22.214.171.124
- bantime:, the ban time (in seconds). You can use a negative number for permanent ban.
- maxretry:, the number of failures before an IP get banned.
- destemail:, the email to which the alerts will be sent. You should put your email address.
- action:, if you want to receive alerts with whois report and relevant log lines, change it to:
action = %(action_mwl)s
Jails are the rules which Fail2Ban apply to a given service and are combination of a filter and action. By default only the ssh jail is enabled, you can enable additional jails according to your needs by changing
enabled = false to
enabled = true
Finally restart the Fail2Ban service so that the changes take effect.
user@hostname ~$ sudo /etc/init.d/fail2ban restart
If you want to tweak the existing filters or add some new filters, you can find them in the /etc/fail2ban/filter.d/ directory.
For example if you want to edit the Fail2Ban filter for the OpenSSH service, open end edit the following file:
user@hostname ~$ sudo vim /etc/fail2ban/filter.d/sshd.conf
Do not forget to restart the Fail2Ban service after you make changes to the configuration files.
Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to setup this for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.