Install Fail2Ban on Debian 7/8
While connecting to your server through SSH can be very secure, the SSH daemon itself is a service that must be exposed to the internet to function properly. This comes with some inherent risks. Any service that is exposed to the network is a potential target in this way. If you pay attention to the application logs for these services, you will often see repeated, systematic login attempts that represent brute force attacks by users and bots alike.
A service called fail2ban can mitigate this problem by creating rules that can automatically alter your iptables firewall configuration based on a predefined number of unsuccessful login attempts. This will allow your server to respond to illegitimate access attempts without your intervention.
In this guide, we will cover how to install and use Fail2Ban on a Debian server.
1. Install Fail2Ban
Login as root user and enter the following command to install Fail2Ban:
- apt-get install fail2ban
2. Copy the Configuration File
The default Fail2Ban configuration file is located at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, since it can be modified by package upgrades, but rather copy it so that we can make our changes safely.
We need to copy this to a file called jail.local for Fail2Ban to find it.
- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many possible services that may need protection are in the file already. Each one is located in its own section, configured and turned off.
3. Configure defaults in jail.local
Open up the new Fail2Ban configuration file:
- nano /etc/fail2ban/jail.local
The first section of defaults covers the basic rules that Fail2Ban will apply to all services enabled for Fail2Ban that are not overridden in the service’s own section.. If you want to set up more nuanced protection for your server, you can customize the details in each section.
You can see the default section below:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3
Write your personal IP address into the ignoreip line. You can separate each address with a space. IgnoreIP allows you to white list certain IP addresses and make sure that they are not locked out. Including your address will guarantee that you do not accidentally ban yourself from your own server.
The next step is to decide on a bantime, the number of seconds that a host would be blocked from the server if they are found to be in violation of any of the rules. This is especially useful in the case of bots, that once banned, will simply move on to the next target. The default is set for 10 minutes – you may raise this to an hour (or higher) if you like.
Maxretry is the amount of incorrect login attempts that a host may have before they get banned for the length of the ban time.
Findtime refers to the amount of time that a host has to log in. The default setting is 10 minutes; this means that if a host attempts, and fails, to log in more than the maxretry number of times in the designated 10 minutes, they will be banned.
4. Configure the ssh Section in Jail.Local
The SSH details section is just a little further down in the config, and it is already set up and turned on. Although you should not be required to make any changes within this section, you can find the details about each line below:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5
Enabled simply refers to the fact that SSH protection is on. You can turn it off with the word “false”.
The port parameter defines which port Fail2Ban should be watching, if default port 22 is in use, then there is no need to change this parameter. Otherwise type the port you are using for SSH access.
The filter, set by default to sshd, refers to the config file containing the rules that fail2ban uses to find matches. The name is a shortened version of the file extension. For example, sshd refers to the /etc/fail2ban/filter.d/sshd.conf.
logpath refers to the log location that Fail2Ban will track.
The max retry line within the SSH section has the same definition as the default configuration file. However, if you have enabled multiple services and want to have specific values for each one, you can set the new max retry amount for SSH here.
5. Restart Fail2Ban
After making any changes to the Fail2Ban config, always be sure to restart Fail2Ban.
- service fail2ban restart
You can see the rules that fail2ban puts in effect within iptables with the following command:
- iptables -L
Check Fail2Ban Status
Use fail2ban-client command to query the overall status of the Fail2Ban jails.
- fail2ban-client status
You can also query a specific jail status using the following command:
- fail2ban-client status ssh
Manually Unban IP Banned by Fail2Ban
If for some reason you want to grant access to an IP that it is banned, use the following expression to manually unban an IP address, banned by fail2ban:
- fail2ban-client set JAIL unbanip IPADDRESS
eg. Unban IP 192.168.1.101, that was banned according to [sshd] jail:
- fail2ban-client set ssh unbanip 192.168.1.101
You should now be able to configure some basic banning policies for your services. Fail2ban is very easy to set up, and is a great way to protect any kind of service that uses authentication.