How to install Fail2ban with email notification
You might think “Oh no, not another “how to” about installing Fail2ban. I admit there are a lot of instructions available. However, I simply could not find a clear guide on installing Fail2ban with email notification. I love Fail2ban and use it for several Linux servers. For me, it is important to receive an email when Fail2ban triggers an action.
What is Fail2ban?
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker. For a fixed period of time or permanently. Fail2ban can also alert you by email about an ongoing attack.
How to install Fail2ban?
I’m demonstrating the installation on an Ubuntu server. The good thing is that it’s a pretty quick installation, with not much to do.
Make sure your system is up to date
sudo apt-get update sudo apt-get upgrade
sudo apt install fail2ban
You would also need to install email support on your server. For example sendmail. Postfix is 100% compliant with sendmail, so it works fine with Fail2ban.
Please also check that the time on your server time is set correctly.
If not please check this blog.
The configuration files are in /etc/fail2ban. The basic configuration is in jail.conf. However if you want to make changes, create jail.local. Fail2ban is configured such that settings in jail.local override settings in jail.conf. Furthermore, if you update Fail2ban later there is a chance that jail.conf could be overwritten, even as jail.local remains.
Configuration example for ssh with email notification
We all love using ssh to access our servers. But we are not the only ones. Hackers love ssh too. 🙂 As a special tip, I recommend not using the default port 22. Use another port, configure your firewall and maybe your linux firewall too.
So here is an example jail.local for ssh with email support
[DEFAULT] ignoreip = 127.0.0.0 bantime = 86400s findtime = 120s destemail = firstname.lastname@example.org sender = yourname@examplecom sendername = Fail2ban mta = sendmail action = %(action_mwl)s [sshd] enabled = true port = 12522 filter = sshd logpath = /var/log/auth.log maxretry = 3
Don’t even try, I don’t have ssh on port 12522. 🙂
bantime = The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent.
findtime = The length of time between login attempts before a ban is set.
maxretry = The number of attempts that can be made to access the server from a single IP before a ban is set.
action = the “mw” after the “action_” tells Fail2ban to send you emails. “mwl” attaches the logs too.
Testing Fail2ban and email notification
systemctl restart fail2ban fail2ban-client status fail2ban-client status sshd
Do not forget to restart the Fail2ban service after every configuration change. The other two commands will inform you if Fail2ban works. The status switch shows the service Fail2ban is watching. Use the status switch and service name “status sshd” to see more information
You could create your own filter using regex. Filters are located in /etc/fail2ban/filter.d. Fail2ban ships with the most important filter ready to use.
Fail2ban is an easy installation and doesn’t need a lot of configuration. I recommend making all your config changes in jail.local and not jail.conf.
Amazon affiliate Program
Edy Werder is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.