The fail2ban tool monitors your log files and acts as soon as it discovers malicious behavior in the way you told it to. One common use case is blocking malicious IP addresses by establishing firewall rules on the fly using iptables.
This is a tool that serves to protect a variety of services including SSH, FTP, SMTP, Apache, and many more against unwanted visitors. It works by reading log files for patterns based on failed login attempts and deals with the offending IP addresses accordingly. Of course, you may have already hardened your SSH server or another service on a direct application level, but it is the purpose of this recipe to show that, when faced with the possibility of Brute Force Attacks, an added layer of protection is always useful.
Uninstalling fail2ban on Ubuntu
Despite the features provided by fail2ban, you might still want to uninstall the package. To do so follow the steps outlined below:
1. Remove the fail2ban package:
$ sudo apt-get remove fail2ban
2. Uninstall fail2ban including dependent package. If you would like to remove fail2ban and it’s dependent packages which are no longer needed from Ubuntu,
$ sudo apt-get remove --auto-remove fail2ban
Use Purging fail2ban
If you use with purge options to fail2ban package all the configuration and dependent packages will be removed.
$ sudo apt-get purge fail2ban
If you use purge options along with auto remove, will be removed everything regarding the package, It’s really useful when you want to reinstall again.
$ sudo apt-get purge --auto-remove fail2ban
Reinstalling fail2ban in Ubuntu
Installing and configuring Fail2ban is relatively straightforward. First, install its package:
$ sudo apt install fail2ban
After installation, the fail2ban daemon will start up and be configured to automatically start at boot-time. Configuring fail2ban is simply a matter of creating a configuration file. The simplest way to get started is to make a copy of jail.conf and save it as jail.local:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the /etc/fail2ban/jail.local configuration file as per your needs and restart the fail2ban service:
$ sudo systemctl restart fail2ban $ sudo systemctl status -l fail2ban
Conclusion
Fail2Ban is a third-party program that runs in the background and monitors logs. When specific loglines (such as the authentication challenge line shown previously) are seen a certain number of times, Fail2Ban takes an action. It can be programmed to e-mail you with an alert or automatically use IPTables to block an offending IP address after too many attempts occur within a certain period of time.