Fail2ban Installation on Debian 12 Bookworm

Fail2ban Installation on Debian 12 Bookworm - orcacore.com

This guide intends to show you Fail2ban Installation on Debian 12 Bookworm. One of the most popular ways to increase your server security is to use Fail2ban. It uses an Intrusion Prevention System (IPS) written in Python. Using Fail2ban in Debian 12 has many advantages including:

  • Real-time Protection
  • Customizable Ban Policies
  • Extensive Compatibility
  • IP Address Blocking
  • Low Resource Usage
  • Open Source and Well-Supported

You can follow the steps below to install and configure Fail2ban on Debian 12 Bookworm.

what you read in this post?

Steps To Fail2ban Installation and Configuration on Debian 12 Bookworm

Before you start, you must have access to your server as a non-root user with sudo privileges. For this purpose, you can check this guide on Initial Server Setup with Debian 12 Bookworm.

Now follow the steps below to start your Fail2ban installation.

Step 1 – Install Fail2ban on Debian 12

The Fail2ban packages are available in the default Debian 12 repository. First, run the system update and upgrade with the commands below:

# sudo apt update
# sudo apt upgrade -y

Then, use the following command to install the Fail2ban package:

sudo apt install fail2ban -y

Step 2 – Start and Enable Fail2ban Service on Debian 12

When your installation is completed, you must start and enable your Fail2ban service by using the command below:

sudo systemctl enable fail2ban --now

Verify your Fail2ban service is active and running on Debian 12:

sudo systemctl status fail2ban

Output
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: ena>
     Active: active (running) since Sun 2023-10-08 02:52:56 EDT; 1min 39s ago
       Docs: man:fail2ban(1)
   Main PID: 49756 (fail2ban-server)
      Tasks: 5 (limit: 4653)
     Memory: 19.1M
        CPU: 414ms
     CGroup: /system.slice/fail2ban.service
             └─49756 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
...

Step 3 – Fail2ban Configuration Setup on Debian 12

At this point, you need to make some Fail2ban configuration setup on your server. You can follow the steps below to start your configuration changes.

Where is Fail2ban Configuration Files?

Fail2ban has two configuration files. They are located in the following directories:

  • /etc/fail2ban/jail.conf 
  • /etc/fail2ban/jail.d/defaults-debian.conf

Important Note: Do Not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

To make your configuration changes, you need to create a backup file.

Create a Copy of the Fail2ban Config File

As we said, you must create a copy of the file. To do this, you can run the command below:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then, you can verify your copied file exists in the /etc/fail2ban directory:

ls /etc/fail2ban/jail.local

Output
/etc/fail2ban/jail.local

Next, you can start your Fail2ban configuration setup on Debian 12 Bookworm. To modify your Fail2ban, you need to open your backup file with your favorite text editor like vi editor or nano editor:

sudo vi /etc/fail2ban/jail.local

Configure White list IP Addresses in Fail2ban

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.

At this point, you should add your local PC IP address and all other machines that you want to white list.

Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Bantime Configuration in Fail2ban

At this point, find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:

bantime = 1d

To permanently ban the IP, you can use a negative number.

The findtime is the duration between the number of failures before a ban is set.

The maxretry is the number of failures before an IP is banned. The default value is set to 5, which should be fine for most users.

Email Configuration in Fail2ban

Fail2ban can send email alerts when an IP has been banned on Debian 12 Bookworm.

To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:

action = %(action_mw)s

If you want to receive the relevant logs too, you should set this to the following:

action = %(action_mwl)s

Also, you can adjust the sending and receive email addresses:

destemail = [email protected] 
sender = [email protected]

Fail2ban Jails Configuration

Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.

By default, only the SSH jail is enabled.

You can also create your own jail configurations. To enable a jail, you need to add enabled = true after the jail title.

For example, to enable the postfix jail you can do this:

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

When you are done, save and close the file.

Finally, restart Fail2ban on Debian 12 with the following command to apply these changes:

sudo systemctl restart fail2ban

Step 4 – Fail2ban Command Line Utility on Debian 12 Bookworm

At this point, you can use the Fail2ban command line utility which is fail2ban-client to interact with the service.

To list all available options from the command line, you can run the command below:

fail2ban-client -h

Output
Usage: fail2ban-client [OPTIONS] <COMMAND>

Fail2Ban v1.0.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Options:
    -c, --conf <DIR>        configuration directory
    -s, --socket <FILE>     socket path
    -p, --pidfile <FILE>    pidfile path
    --pname <NAME>          name of the process (main thread) to identify instance (default fail2ban-server)
    --loglevel <LEVEL>      logging level
    --logtarget <TARGET>    logging target, use file-name or stdout, stderr, syslog or sysout.
    --syslogsocket auto|<FILE>
    -d                      dump configuration. For debugging
    --dp, --dump-pretty     dump the configuration using more human readable representation
    -t, --test              test configuration (can be also specified with start parameters)
    -i                      interactive mode
    -v                      increase verbosity
    -q                      decrease verbosity
    -x                      force execution of the server (remove socket file)
    -b                      start server in background (default)
    -f                      start server in foreground
...

Step 5 – Examples of using Fail2ban from Debian 12 Command Line

This tool can be used to ban/unban IP addresses, change settings, restart the service and more. Here we provide a few examples.

To check the status of jail you can use the following command:

sudo fail2ban-client status sshd

Also, you can unban an IP with the following command:

sudo fail2ban-client set sshd unbanip 23.34.45.56

To ban an IP you can use the following command:

sudo fail2ban-client set sshd banip 23.34.45.56

For more information, you can visit the Fail2ban Wiki page.

Step 6 – Uninstall and Remove Fail2ban

If you don’t want to use Fail2ban anymore, you can easily disable it with the command below:

sudo systemctl disable fail2ban --now

Then, remove the Fail2ban with the command below:

sudo apt autoremove fail2ban --purge -y

Conclusion

At this point, you have learned to finish the Fail2ban installation on Debian 12 Bookowrm, start your configuration setup, and use it from the command line by its utility named fail2ban-client. Hope you enjoy using it.

You may be interested in these articles:

Tomcat Installation Guide on Debian 12 Bookworm

Install Flatpak via Terminal on Debian 12

Efficiently backup and restore data on Linux with restic

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Stay informed and not overwhelmed, subscribe now!