Setting Up Fail2Ban on Ubuntu to Monitor SSH

May 11, 2014

Why use Fail2Ban? Because numerous unknown individuals may be attempting to connect to your server or workstation through SSH.

Sounds good, how do I set it up?

1. Start by installing Fail2Ban:

sudo apt-get install fail2ban

2. We will want to make a backup copy of the original config file before we start editing:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.orig

3. Now let’s edit the configuration file. Open it in your favorite text editor. (I chose nano):

sudo nano /etc/fail2ban/jail.conf

4. I like to add my personal ip address to the ignoreip section to prevent myself from getting locked out. This can be done by editing the ignoreip line within the config file. Space separate the whitelisted domains or ip addresses.

ignoreip = 127.0.0.1/8 mydomain.com

5. I like to decrease the maxretry value to 2. This will give me two attempts for connecting from an ip or domain other than my own. Any more than two I feel is me having a really bad day or a hack attempt. Edit the line that states maxretry = 3 to the following:

maxretry = 2

SSH monitoring is enabled by default, so there shouldn’t be much else to do for basic setup at this point. If you want to change the logging level or the location of the log file you can edit the fail2ban.conf file.

6. Now just restart Fail2Ban and you should be all set:

sudo service fail2ban restart