Setting Up Fail2Ban on Ubuntu to Monitor SSH

Why use Fail2Ban? Because numerous unknown individuals may be attempting to connect to your server or workstation through SSH.

Sounds good, how do I set it up?

1. Start by installing Fail2Ban:

sudo apt-get install fail2ban

2. We will want to make a backup copy of the original config file before we start editing:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.orig

3. Now let’s edit the configuration file. Open it in your favorite text editor. (I chose nano):

sudo nano /etc/fail2ban/jail.conf

4. I like to add my personal ip address to the ignoreip section to prevent myself from getting locked out. This can be done by editing the ignoreip line within the config file. Space separate the whitelisted domains or ip addresses.

ignoreip = 127.0.0.1/8 mydomain.com

5. I like to decrease the maxretry value to 2. This will give me two attempts for connecting from an ip or domain other than my own. Any more than two I feel is me having a really bad day or a hack attempt. Edit the line that states maxretry = 3 to the following:

maxretry = 2

SSH monitoring is enabled by default, so there shouldn’t be much else to do for basic setup at this point. If you want to change the logging level or the location of the log file you can edit the fail2ban.conf file.

6. Now just restart Fail2Ban and you should be all set:

sudo service fail2ban restart

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: