Fail2Ban is a popular open-source intrusion prevention tool that can help protect your server from brute-force attacks and other malicious activity. It works by analyzing log files and blocking IP addresses that show signs of malicious activity. In this tutorial, we will walk you through the steps to setup Fail2Ban for Ubuntu and NGINX with automatic email notifications using Sendmail.
Step 1: Update System Packages
Before installing Fail2Ban, make sure your system packages are up to date by running the following commands:
sudo apt update sudo apt upgrade
Step 2: Install Fail2Ban
You can install Fail2Ban from the Ubuntu repositories by running the following command:
sudo apt install fail2ban
Step 3: Configure Fail2Ban for NGINX
By default, Fail2Ban is configured to monitor SSH connections. However, you can configure it to monitor other services as well. The configuration files for Fail2Ban are located in the /etc/fail2ban/ directory.
To monitor NGINX, create a new configuration file /etc/fail2ban/jail.d/nginx.conf with the following contents:
[nginx] enabled = true port = http,https filter = nginx-auth logpath = /var/log/nginx/access.log maxretry = 6
This configuration file tells Fail2Ban to monitor NGINX access logs for authentication failures (filter = nginx-auth) and block IP addresses that fail to authenticate more than six times (maxretry = 6).
Step 4: Set Up Automatic Email Notifications
Fail2Ban can send email notifications when an IP address is blocked. To set up automatic email notifications, you need to install the mailutils package by running the following command:
sudo apt install mailutils
Once installed, create a new configuration file /etc/fail2ban/action.d/mail-whois-lines.conf with the following contents:
[Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> = IP address # <failures> = number of failures # <hostname> = hostname actionban = printf "Banned IP address %s\n" <ip> | mail -s "Fail2Ban: IP Address banned on $(hostname)" <[email protected]> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> = IP address # <failures> = number of failures # <hostname> = hostname actionunban = printf "Unbanned IP address %s\n" <ip> | mail -s "Fail2Ban: IP Address unbanned on $(hostname)" <[email protected]>
Replace <[email protected]> with the email address you want to receive notifications.
By default, Fail2Ban doesn’t send any notifications when an IP is banned. We can configure it to send emails to the server administrator when an IP is banned by editing the jail.local file again:
sudo nano /etc/fail2ban/jail.local
Find the [DEFAULT] section and add the following lines:
destemail = [email protected] sendername = Fail2Ban mta = sendmail
Replace [email protected] with your email address. You can also change Fail2Ban to any name you like.
Save and close the file.
To apply the changes we made, we need to restart Fail2Ban:
sudo systemctl restart fail2ban
Fail2Ban is now set up to ban IPs that show malicious behavior and send email notifications to the server administrator.
In Conclusion
In this tutorial, we learned how to install and configure Fail2Ban on an Ubuntu server running NGINX. We also set up automatic email notifications to keep the server administrator informed of any malicious activity.
Remember that Fail2Ban is just one tool in a larger arsenal of security measures. It’s important to keep your server and applications up to date, use strong passwords, and regularly monitor your logs for any suspicious activity.
