How to set up Fail2ban?

Fail2ban is a security tool that can be used to protect servers from malicious login attempts and other types of attacks. It works by monitoring log files and banishing IP addresses that show suspicious activity, such as repeated failed login attempts. Here is a tutorial on how to set up Fail2ban on an Ubuntu system:

  1. Install Fail2ban: First, you will need to install Fail2ban on your system. You can do this by running the following command in a terminal window:
sudo apt install fail2ban
  1. Configure Fail2ban: Fail2ban is configured using configuration files located in the /etc/fail2ban directory. The main configuration file is /etc/fail2ban/fail2ban.conf, which contains global settings for Fail2ban. You can edit this file to customize the behavior of Fail2ban, such as the ban time, the log file location, and the email notifications.
  2. Create a jail configuration: A jail is a set of rules that specifies what Fail2ban should look for in the log files and how it should react when it finds a match. You can create a jail configuration by creating a new file in the /etc/fail2ban/jail.d directory. For example, to create a jail for SSH attacks, you can create a file named ssh.conf with the following contents:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

This configuration will enable the SSH jail and set the ban time to one day (86400 seconds) for IP addresses that have more than 3 failed login attempts within a 10-minute period.

  1. Restart Fail2ban: Once you have configured Fail2ban, you will need to restart the service to apply the changes. You can do this by running the following command:
sudo systemctl restart fail2ban
  1. Test Fail2ban: To test Fail2ban, you can try to log in to your server using an incorrect password multiple times. Fail2ban should detect the failed login attempts and ban the IP address. You can view the banned IP addresses by running the fail2ban-client status command.