Install and Configure Fail2Ban for SSH on Debian
Table of Contents
Fail2Ban is a vital security tool for Linux servers, particularly useful in protecting SSH services against brute-force attacks. It monitors service logs for malicious activity and bans offending IPs for a specified duration.
Installing Fail2Ban #
Fail2Ban is included in Debian’s default repositories, making it easy to install:
Update your package listings:
sudo apt update
Install Fail2Ban:
sudo apt install fail2ban
After installation, the Fail2Ban service starts automatically. Verify it with:
sudo systemctl status fail2ban
Configuring Fail2Ban #
Configuration involves editing .local
files that override the default .conf
files:
Create a
.local
Configuration File: Copyjail.conf
tojail.local
:sudo cp /etc/fail2ban/jail.{conf,local}
Edit the
jail.local
File: Open the file:sudo nano /etc/fail2ban/jail.local
Here, you can set various parameters.
Important Parameters #
Whitelisting IP Addresses: Add trusted IPs to the
ignoreip
directive:ignoreip = 127.0.0.1/8 ::1 [Trusted IPs]
Setting Ban Conditions
bantime
: Duration to ban the IP (default is 10 minutes).findtime
: Time window in which failures must occur.maxretry
: Number of failures before banning.
Example settings:
bantime = 1d findtime = 10m maxretry = 5
Email Notifications
Configure to receive email alerts on banning events:
action = %(action_mw)s destemail = your-email@example.com sender = server-email@example.com
Configuring SSH Jail #
Fail2Ban uses ‘jails’ for each service. For SSH, enable and configure the SSH jail in jail.local
:
[sshd]
enabled = true
maxretry = 5
findtime = 12h
bantime = 1d
ignoreip = 127.0.0.1/8 [Other Trusted IPs]
Restarting Fail2Ban #
After changes, restart Fail2Ban to apply:
sudo systemctl restart fail2ban
Using fail2ban-client #
Manage Fail2Ban with fail2ban-client
. Common commands include:
- Checking server status:
sudo fail2ban-client status
- Unbanning an IP:
sudo fail2ban-client set sshd unbanip [IP Address]
Explore more options with fail2ban-client -h
.