====== Ubuntu - Fail2Ban - Install Fail2Ban ======

===== Install fail2ban =====

<code bash>
sudo apt-get install fail2ban -y
</code>

----

===== Start and enable the fail2ban service =====

<code bash>
sudo systemctl enable --now fail2ban
</code>

----

===== Configure Firewall =====

<code bash>
sudo ufw allow ssh
</code>


<WRAP info>
**NOTE:**  To allow SSH traffic into the server
</WRAP>

----

===== Configure fail2ban =====

Fail2ban depends on a few different files and directories, which are:

  * **fail2ban.conf** – the main configuration file.
  * **jail.conf** – a sample jail configuration.
  * **action.d** – contains various fail2ban actions configurations for things like mail and firewall.
  * **jail.d** – contains additional fail2ban jail configurations.

<WRAP important>
**WARNING:** The default values in **/etc/fail2ban/jail.conf** ​​may change with package updates, so it is recommended to create a **jail.local** file with the configuration changes needed.
</WRAP>

----

===== To modify some default settings =====

Create the **jail.local** file if it does not exist, otherwise edit it and populate it with:

<file bash /etc/fail2ban/jail.local>
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime  = 1d
findtime  = 5m
maxretry = 5
destemail = root@localhost
sender = root@mediaserver
</file>

<WRAP info>
**NOTE:**  Notice the **[DEFAULT]** tag.

To have these new settings, restart Fail2Ban: <code bash>
sudo systemctl restart fail2ban
</code>

</WRAP>

----

===== To prevent malicious SSH logins =====

Create the **jail.local** file if it does not exist, otherwise edit it and populate it with:

<code bash>
sudo vi /etc/fail2ban/jail.local
</code>

...and populate that file:

<file bash /etc/fail2ban/jail.local>
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1
</file>

<WRAP info>
**NOTE:**  

  * **enabled** – Enables the jail.
  * **port** – The port fail2ban will listen for.
  * **filter** – The built-in filter fail2ban will use.
  * **logpath** – The directory hosing the fail2ban log.
  * **maxretry** – The number of failed attempts allowed before an IP is blocked.
  * **findtime** – The amount of time between failed login attempts.
  * **bantime** – Number of seconds an IP address is banned for.
  * **ignoreip** – An IP address that is to be ignored by fail2ban.

To have these new settings, restart Fail2Ban: <code bash>
sudo systemctl restart fail2ban
</code>

</WRAP>

----

===== Restart fail2ban =====

<code bash>
sudo systemctl restart fail2ban
</code>

----