How to Install and Configure Fail2ban on Debian 11 - DesignLinux

Dec 04 2022
designlinux 0 Comments
how-to-install-fail2ban-on-debian-11

Fail2ban is used to protect your Linux system from malicious activity and various attacks. It blocks the client which are repeatedly fail to authenticate correctly with the services configured for it. Actually, it monitoring the logs of services for malicious activity and identify the automated attacks. This article explains how to install and configure Fail2ban on Debian 11.

How to Install Fail2ban on Debian 11

By default, Debian 11 repository includes the Fail2ban package. So it is very straightforward to install Fail2ban package.

Perform the following steps to install Fail2ban on Debian 11 system:

Step 1 – Update your system

First of all you need to update your system and make up to date using below command:

sudo apt update && upgrade

Step 2 – Install Fail2ban

Next, issue below given command as root or user with sudo privileges to install Fail2ban package:

sudo apt install fail2ban

Once the the installation completes, the Fail2ban service will be start automatically.

If the service not active on your system, you can do it by using following commands:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Step 3 – Verify Installation

You can verify the installation by checking the service status:

sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-11-14 06:40:14 UTC; 45s ago
...

That’s it. At this point, you have Fail2Ban running on your Debian server.

Step 4 – Fail2ban Configuration

Fail2ban configuration files are located in /etc/fail2ban/ directory. By default, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf files are configuration files which comes with Fail2Ban installation. We will not direct edit these files because these files may be overwritten once the package is updated.

We will make another copy of jail.conf configuration file with jail.local and then make changes to this .local file. In .local there is only changes which we need to overwrite. Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/jail.d/*.conf
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/jail.d/*.local

Copy the jail.conf and save as a jail.local file:

sudo cp /etc/fail2ban/jail.{conf,local}

To make the configuration changes, open jail.local file using text editor:

sudo nano /etc/fail2ban/jail.local

As you can see the instruction with comment in the configuration file. Below is the configuration file with default settings. Let’s change basic configuration in this file.

[DEFAULT]
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host that matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host gets banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
backend=systemd

Whitelist IP Address

You can add the IP address and IP ranges to the ignoreip directive to allow all time and prevent from ban. Here, you can add your local IP addresses and other system address which you want to whitelist.

You should uncomment the line starting with ignoreip and add your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 222.222.222.222 192.168.55.0/24

Ban Settings

The values of bantime, findtime, and maxretry options define the ban time and ban conditions.

The bantime is the duration for which the IP is banned. The default value for bantime is 10 minutes and if there is no suffix specified then it will consider seconds. If you would like to change the longer time then just change the value like below:

bantime = 1d

For ban permanently use the negative number.

The findtime the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry), those failures must occur within the findtime duration.

findtime = 10m

Option maxretry is the number of failures, then it will be banned. The default value for the maxretry is 5 and it’s fine for most of users.

maxretry = 5

Conclusion

You successfully learned how to install and configure Fail2Ban on Debian 11 system. To learn more about Fail2Ban, visit Fail2ban documentation.

If you have any questions or suggestion, please leave a comment below.

Tags: , ,