Install and Configure Fail2Ban for SSH on Debian
Table of Contents
Fail2Ban is a vital security tool for Linux servers, particularly useful in protecting SSH services against brute-force attacks. It monitors service logs for malicious activity and bans offending IPs for a specified duration.
Installing Fail2Ban #
Fail2Ban is included in Debian’s default repositories, making it easy to install:
Update your package listings:
sudo apt updateInstall Fail2Ban:
sudo apt install fail2ban
After installation, the Fail2Ban service starts automatically. Verify it with:
sudo systemctl status fail2ban
Configuring Fail2Ban #
Configuration involves editing .local files that override the default .conf files:
Create a
.localConfiguration File: Copyjail.conftojail.local:sudo cp /etc/fail2ban/jail.{conf,local}Edit the
jail.localFile: Open the file:sudo nano /etc/fail2ban/jail.localHere, you can set various parameters.
Important Parameters #
Whitelisting IP Addresses: Add trusted IPs to the
ignoreipdirective:ignoreip = 127.0.0.1/8 ::1 [Trusted IPs]Setting Ban Conditions
bantime: Duration to ban the IP (default is 10 minutes).findtime: Time window in which failures must occur.maxretry: Number of failures before banning.
Example settings:
bantime = 1d findtime = 10m maxretry = 5Email Notifications
Configure to receive email alerts on banning events:
action = %(action_mw)s destemail = your-email@example.com sender = server-email@example.com
Configuring SSH Jail #
Fail2Ban uses ‘jails’ for each service. For SSH, enable and configure the SSH jail in jail.local:
[sshd]
enabled = true
maxretry = 5
findtime = 12h
bantime = 1d
ignoreip = 127.0.0.1/8 [Other Trusted IPs]
Restarting Fail2Ban #
After changes, restart Fail2Ban to apply:
sudo systemctl restart fail2ban
Using fail2ban-client #
Manage Fail2Ban with fail2ban-client. Common commands include:
- Checking server status:
sudo fail2ban-client status - Unbanning an IP:
sudo fail2ban-client set sshd unbanip [IP Address]
Explore more options with fail2ban-client -h.