Tutorial: Setup Fail2Ban For Ubuntu and NGINX with Email Notification.

Fail2Ban is a popular open-source intrusion prevention tool that can help protect your server from brute-force attacks and other malicious activity. It works by analyzing log files and blocking IP addresses that show signs of malicious activity. In this tutorial, we will walk you through the steps to setup Fail2Ban for Ubuntu and NGINX with automatic email notifications using Sendmail.

Step 1: Update System Packages

Before installing Fail2Ban, make sure your system packages are up to date by running the following commands:

sudo apt update
sudo apt upgrade

Step 2: Install Fail2Ban

You can install Fail2Ban from the Ubuntu repositories by running the following command:

sudo apt install fail2ban

Step 3: Configure Fail2Ban for NGINX

By default, Fail2Ban is configured to monitor SSH connections. However, you can configure it to monitor other services as well. The configuration files for Fail2Ban are located in the /etc/fail2ban/ directory.

To monitor NGINX, create a new configuration file /etc/fail2ban/jail.d/nginx.conf with the following contents:

[nginx]
enabled = true
port = http,https
filter = nginx-auth
logpath = /var/log/nginx/access.log
maxretry = 6

This configuration file tells Fail2Ban to monitor NGINX access logs for authentication failures (filter = nginx-auth) and block IP addresses that fail to authenticate more than six times (maxretry = 6).

Step 4: Set Up Automatic Email Notifications

Fail2Ban can send email notifications when an IP address is blocked. To set up automatic email notifications, you need to install the mailutils package by running the following command:

sudo apt install mailutils

Once installed, create a new configuration file /etc/fail2ban/action.d/mail-whois-lines.conf with the following contents:

[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
actionstart =
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
actionstop =
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
actioncheck =
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip> = IP address
#          <failures> = number of failures
#          <hostname> = hostname
actionban = printf "Banned IP address %s\n" <ip> | mail -s "Fail2Ban: IP Address banned on $(hostname)" <[email protected]>
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip> = IP address
#          <failures> = number of failures
#          <hostname> = hostname
actionunban = printf "Unbanned IP address %s\n" <ip> | mail -s "Fail2Ban: IP Address unbanned on $(hostname)" <[email protected]>

Replace <[email protected]> with the email address you want to receive notifications.

By default, Fail2Ban doesn’t send any notifications when an IP is banned. We can configure it to send emails to the server administrator when an IP is banned by editing the jail.local file again:

sudo nano /etc/fail2ban/jail.local

Find the [DEFAULT] section and add the following lines:

destemail = [email protected]
sendername = Fail2Ban
mta = sendmail

Replace [email protected] with your email address. You can also change Fail2Ban to any name you like.

Save and close the file.

To apply the changes we made, we need to restart Fail2Ban:

sudo systemctl restart fail2ban

Fail2Ban is now set up to ban IPs that show malicious behavior and send email notifications to the server administrator.

In Conclusion

In this tutorial, we learned how to install and configure Fail2Ban on an Ubuntu server running NGINX. We also set up automatic email notifications to keep the server administrator informed of any malicious activity.

Remember that Fail2Ban is just one tool in a larger arsenal of security measures. It’s important to keep your server and applications up to date, use strong passwords, and regularly monitor your logs for any suspicious activity.

Scroll to top