Fail2ban is an open-source tool which is used to protect your Linux system from Brute Force and DDoS other automated attacks. It blocks the client which are repeatedly fail to authenticate correctly with the services configured for it. Actually, it monitoring the logs of services for malicious activity and identify the automated attacks. This article explains how to install and configure Fail2ban on Debian 10.
Installing Fail2ban on Debian
The Fail2ban package is included in the default Debian 10 repositories. So it is very straightforward to install Fail2ban package.
Step 1 – Install Fail2ban
Run the following command as root or user with sudo privileges to install Fail2ban package:
sudo apt update
sudo apt install fail2ban
Once the the installation completes, the Fail2ban service will be start automatically.
Step 2 – Verify Installation
You can verify the installation by checking the service status:
sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-05-15 03:11:19 UTC; 27s ago
...That’s it. At this point, you have Fail2Ban running on your Debian server.
Step 3 – Fail2ban Configuration
By default, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf files are configuration files which comes with Fail2Ban installation. We will not direct edit these files because these can be overwritten once the package is updated.
We will make another copy of jail.conf configuration file with jail.local and then make changes to this .local file. In .local there is only changes which we need to overwrite. Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:
- /etc/fail2ban/jail.conf
- /etc/fail2ban/jail.d/*.conf
- /etc/fail2ban/jail.local
- /etc/fail2ban/jail.d/*.local
Copy the jail.conf and save as a jail.local file:
sudo cp /etc/fail2ban/jail.{conf,local}
To make the configuration changes, open jail.local file using text editor:
sudo nano /etc/fail2ban/jail.local
As you can see the instruction with comment in the configuration file. Below is the configuration file with default settings. Let’s change basic configuration in this file.
[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemdWhitelist IP Address
You can add the IP address and IP ranges to the ignoreip directive to allow all time and prevent from ban. Here, you can add your local IP addresses and other system address which you want to whitelist.
You should uncomment the line starting with ignoreip and add your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 222.222.222.222 192.168.55.0/24Ban Settings
The values of bantime, findtime, and maxretry options define the ban time and ban conditions.
The bantime is the duration for which the IP is banned. The default value for bantime is 10 minutes and if there is no suffix specified then it will consider seconds. If you would like to change the longer time then just change the value like below:
bantime = 1d
For ban permanently use the negative number.
The findtime the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry), those failures must occur within the findtime duration.
findtime = 10m
Option maxretry is the number of failures, then it will be banned. The default value for the maxretry is 5 and it’s fine for most of users.
maxretry = 5
Conclusion
You successfully learned how to install and configure Fail2Ban on Debian 10 system. To learn more about Fail2Ban, visit Fail2ban documentation.
If you have any questions or suggestion, please leave a comment below.