Linux

Install and Configure Fail2ban on Debian 10

Install and Configure Fail2ban on Debian 10

All servers that are accessible from the Internet are at risk of malware attacks. For example, if you have an application that is accessible from the public network, attackers can use brute-force attempts to gain access to the application.

Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.

This article explains how to install and configure Fail2ban on Debian 10.

Installing Fail2ban on Debian #

The Fail2ban package is included in the default Debian 10 repositories. To install it, run the following command as root or user with sudo privileges :

sudo apt updatesudo apt install fail2ban

Once completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:

sudo systemctl status fail2ban

The output will look like this:

● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-03-10 18:57:32 UTC; 47s ago… 

That's it. At this point, you have Fail2Ban running on your Debian server.

Fail2ban Configuration #

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. You should not modify these files as they may be overwritten when the package is updated.

Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

The easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. More advanced users can build a .local configuration file from scratch. The .local file doesn't have to include all settings from the corresponding .conf file, only those you want to override.

Create a .local configuration file by copying the default jail.conf file:

sudo cp /etc/fail2ban/jail.conf,local

To start configuring the Fail2ban server open, the jail.local file with your text editor :

sudo nano /etc/fail2ban/jail.local

The file includes comments describing what each configuration option does. In this example, we'll change the basic settings.

Whitelisting IP Addresses #

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. Here you should add your local PC IP address and all other machines that you want to whitelist.

Uncomment the line starting with ignoreip and add your IP addresses separated by space:

/etc/fail2ban/jail.local
ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24 

Ban Settings #

bantime, findtime, and maxretry options set the ban time and ban conditions.

bantime is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the bantime value is set to 10 minutes. Most users prefer to set a longer ban time. Change the value to your liking:

/etc/fail2ban/jail.local
bantime = 1d 

To permanently ban the IP, use a negative number.

findtime is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry, see below), those failures must occur within the findtime duration.

/etc/fail2ban/jail.local
findtime = 10m 

maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

/etc/fail2ban/jail.local
maxretry = 5 

Email Notifications #

Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action, which only bans the IP to %(action_mw)s, as shown below:

/etc/fail2ban/jail.local
action = %(action_mw)s 

%(action_mw)s bans the offending IP and sends an email with a whois report. If you want to include the relevant logs in the email, set the action to %(action_mwl)s.

You can also change the sending and receiving email addresses:

/etc/fail2ban/jail.local
destemail = [email protected] sender = [email protected] 

Fail2ban Jails #

Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.

Fail2ban ships with a number of jail for different services. You can also create your own jail configurations. By default, only the ssh jail is enabled.

To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the postfix jail:

/etc/fail2ban/jail.local
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log 

The settings we discussed in the previous section, can be set per jail. Here is an example:

/etc/fail2ban/jail.local
[sshd] enabled = true maxretry = 3 findtime = 1d bantime = 4w ignoreip = 127.0.0.1/8 11.22.33.44 

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.

Each time the configuration file is modified, the Fail2ban service must be restarted for changes to take effect:

sudo systemctl restart fail2ban

Fail2ban Client #

Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.

To view all available options, invoke the command with the -h option:

fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

Conclusion #

We've shown you how to install and configure Fail2ban on Debian 10.

For more information on this topic, visit the Fail2ban documentation .

If you have questions, feel free to leave a comment below.

Gry Darmowe i otwarte silniki gier do tworzenia gier na Linuksa
Darmowe i otwarte silniki gier do tworzenia gier na Linuksa
Ten artykuł zawiera listę darmowych i otwartych silników gier, których można używać do tworzenia gier 2D i 3D w systemie Linux. Istnieje wiele takich ...
Gry Samouczek Shadow of the Tomb Raider dla systemu Linux
Samouczek Shadow of the Tomb Raider dla systemu Linux
Shadow of the Tomb Raider to dwunasty dodatek do serii Tomb Raider - przygodowej serii gier akcji stworzonej przez Eidos Montreal. Gra została dość do...
Gry Jak zwiększyć FPS w Linuksie??
Jak zwiększyć FPS w Linuksie??
FPS oznacza Klatki na sekundę. Zadaniem FPS jest pomiar liczby klatek na sekundę podczas odtwarzania wideo lub wydajności gier. W prostych słowach lic...