How to configure firewall for “brute force attack” with fail2ban on Ubuntu (Server) 14.04 LTS Step-by-Step

You have to be logged in as a root.
Step 1 – Update repositories.

root@mail:/# apt-get update

root@mail:/# apt-get upgrade

Step 2 – Install fail2ban.

root@mail:/# apt-get install fail2ban

Basic Configuration

Step 3 – Backup config file

root@mail:/# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

Step 4 – Open config file.

root@mail:/# nano /etc/fail2ban/jail.conf

Step 5 – Config DEFAULT section. 1 – ignoreip:, by default only 127.0.0.1 is whitelisted. You should also add your Local IP addresses into the ignoreip 2 – bantime: – the ban time (in seconds). You can use a negative number for permanent ban. 3 – maxretry – the number of failures before an IP get banned. 4 – destemail – the email to which the alerts will be sent. You should put your email address. Write ‘-1? for permanently banned

ignoreip = 127.0.0.1/8 192.168.0.0/24 bantime = -1 maxretry = 3 destemail = mslavov@linux-sys-adm.com

Step 6 – Search SSH section and configure it. Your configuration must look like this below. If you want to disable, you must change true to false. In order to permanently ban ip address you have to add the bantime line. If you want to restore ip addresses after restart, you have to add the action line. Action rule ‘iptables-allports’ definition will be shown later in the tutorial.

[ssh] enabled = true port = ssh filter = sshd action = iptables-allports[name=ssh] logpath = /var/log/auth.log maxretry = 2 bantime = -1

Step 7 – Search vsFTPd section and configure. Your configuration must look like this.

[vsftpd] #port = ftp,ftp-data,ftps,ftps-data #logpath = %(vsftpd_log)s enabled = true logpath = /var/log/vsftpd.log port = ftp,ftp-data,ftps,ftps-data filter = vsftpd action = iptables-allports[name=vsftpd] maxretry = 3 bantime = -1

Step 8 – Restart fail2ban.

root@mail:/# /etc/init.d/fail2ban restart

Advanced Configuration

Step 9 – Add banned ip address after restart. If you don’t do this after restart, you will lose banned ip address. Backup this config file /etc/fail2ban/action.d/iptables-allports.conf.

root@mail:/# cp /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf.backup

Step 10 – Open config file with nano /etc/fail2ban/action.d/iptables-allports.conf and change the script with my script. You can download the script iptables-allports.conf

root@mail:/# nano /etc/fail2ban/action.d/iptables-allports.conf

Step 11 – Create a file in which you will save the banned ip address.

root@mail:/# touch /etc/fail2ban/ip.blacklist

Step 12 – Show active fail2ban rules with fail2ban-client status

Step 13 – Show active fail2ban ssh status with fail2ban-client status ssh

Step 14 – If you want to remove ip address from fail2ban rules, you have to open /etc/fail2ban/ip.blacklist file and remove manually ip address. Then you have to show iptables and remove ip address.
Step 15 – Show iptables and see number of ip address which you want to remove.

root@mail:/# iptables -L -n -–line-numbers

Step 16 – Remove ip address which you want.

root@mail:/# iptables -D fail2ban-ssh 1

or

root@mail:/# iptables -D ssh 1

If you don’t do this, the ip address will be banned again after restart.

Posts Contents: – Download More Blogspot contents(Posts) for you site