How to install Fail2ban with email notification
You might think this is another “how to” how to install Fail2ban. I admit there are a lot of instructions available. However I couldn’t find a clear instruction for installing Fail2ban with email notification or some are missing an important setting. I love Fail2ban and use it for several Linux server. However I would like to get an email when Fail2ban triggers an action.
What is Fail2ban?
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker. For a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
How to install Fail2ban?
I show you the installation on a Ubuntu server. The good thing, it is a very quick installation, there is not much to do.
Make sure your system is up to date
sudo apt-get update sudo apt-get upgrade
sudo apt install fail2ban
You would also need to install email support on your server. For example sendmail. Postfix is 100% compliant with sendmail, so it works fine with Fail2ban.
Please also check your server time is correct.
If not please check this blog.
The configuration files are in /etc/fail2ban. The basic configuration is in jail.conf. However if you want to make changes, create jail.local. Fail2ban is configured in the way that settings in jail.local overrides settings in jail.conf. Furthermore if you update Fali2ban later there is chance that jail.conf will be overwritten. While jail.local will retain.
Configuration example for ssh with email notification
We all love ssh to access our servers. However hackers love ssh too. 🙂 As an aside I recommend not using the default port 22. Use another port, configure your firewall and maybe your linux firewall too.
So here is an example jail.local for ssh with email support
[DEFAULT] ignoreip = 127.0.0.0 bantime = 86400s findtime = 120s destemail = email@example.com sender = yourname@examplecom sendername = Fail2ban mta = sendmail action = %(action_mwl)s [sshd] enabled = true port = 12522 filter = sshd logpath = /var/log/auth.log maxretry = 3
Don’t even try, I don’t have ssh on port 12522. 🙂
bantime = The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent.
findtime = The length of time between login attempts before a ban is set.
maxretry = How many attempts can be made to access the server from a single IP before a ban is imposed.
action = the “mw” after the “action_” tells Fail2ban to send you emails. “mwl” attach the logs too.
Testing Fail2ban and email notification
systemctl restart fail2ban fail2ban-client status fail2ban-client status sshd
Do no forget to restart the Fail2ban service after every configuration change. The other two commands will inform if Fail2ban works. The status switch shows the service Fail2ban is watching. Use the status switch and service name “status sshd” to see more information.
You could create your own filter using regex. Filters are located in /etc/fail2ban/filter.d. Fail2ban already ships with the most important filter ready to use.
Fail2ban is an easy installation and doesn’t need a lot of configuration. I recommend making all your config changes in jail.local and not jail.conf.