How to install Fail2ban with email notification

You might think “Oh no, not another “how to” about installing Fail2ban. I admit there are a lot of instructions available. However, I simply could not find a clear guide on installing Fail2ban with email notification. I love Fail2ban and use it for several Linux servers. For me, it is important to receive an email when Fail2ban triggers an action.

What is Fail2ban?

Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker. For a fixed period of time or permanently. Fail2ban can also alert you by email about an ongoing attack.

How to install Fail2ban?

I’m demonstrating the installation on an Ubuntu server. The good thing is that it’s a pretty quick installation, with not much to do.

Make sure your system is up to date

sudo apt-get update
sudo apt-get upgrade

Install Fail2ban

sudo apt install fail2ban

You would also need to install email support on your server. For example sendmail. Postfix is 100% compliant with sendmail, so it works fine with Fail2ban.

Please also check that the time on your server time is set correctly.

timedatectl

If not please check this blog.

Configure Fail2ban

The configuration files are in /etc/fail2ban. The basic configuration is in jail.conf. However if you want to make changes, create jail.local. Fail2ban is configured such that settings in jail.local override settings in jail.conf. Furthermore, if you update Fail2ban later there is a chance that jail.conf could be overwritten, even as jail.local remains.

Configuration example for ssh with email notification

We all love using ssh to access our servers. But we are not the only ones. Hackers love ssh too. 🙂 As a special tip, I recommend not using the default port 22. Use another port, configure your firewall and maybe your linux firewall too.

So here is an example jail.local for ssh with email support

[DEFAULT]
ignoreip = 127.0.0.0
bantime  = 86400s
findtime  = 120s
destemail = yourname@example.com
sender = yourname@examplecom
sendername = Fail2ban
mta = sendmail
action = %(action_mwl)s

[sshd]
enabled = true
port = 12522
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Don’t even try, I don’t have ssh on port 12522. 🙂

bantime = The length of time in seconds for which an IP is banned. If set to a negative number, the ban will be permanent.
findtime = The length of time between login attempts before a ban is set.
maxretry = The number of attempts that can be made to access the server from a single IP before a ban is set.
action = the “mw” after the “action_” tells Fail2ban to send you emails. “mwl” attaches the logs too.

Testing Fail2ban and email notification

systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshd

Do not forget to restart the Fail2ban service after every configuration change. The other two commands will inform you if Fail2ban works. The status switch shows the service Fail2ban is watching. Use the status switch and service name “status sshd” to see more information

You could create your own filter using regex. Filters are located in /etc/fail2ban/filter.d. Fail2ban ships with the most important filter ready to use.

Conclusion

Fail2ban is an easy installation and doesn’t need a lot of configuration. I recommend making all your config changes in jail.local and not jail.conf.