This guide intends to show you Fail2ban Installation on Debian 12 Bookworm. One of the most popular ways to increase your server security is to use Fail2ban. It uses an Intrusion Prevention System (IPS) written in Python. Using Fail2ban in Debian 12 has many advantages including:
- Real-time Protection
- Customizable Ban Policies
- Extensive Compatibility
- IP Address Blocking
- Low Resource Usage
- Open Source and Well-Supported
You can follow the steps below to install and configure Fail2ban on Debian 12 Bookworm.
Steps To Fail2ban Installation and Configuration on Debian 12 Bookworm
Before you start, you must have access to your server as a non-root user with sudo privileges. For this purpose, you can check this guide on Initial Server Setup with Debian 12 Bookworm.
Now follow the steps below to start your Fail2ban installation.
Step 1 – Install Fail2ban on Debian 12
The Fail2ban packages are available in the default Debian 12 repository. First, run the system update and upgrade with the commands below:
# sudo apt update # sudo apt upgrade -y
Then, use the following command to install the Fail2ban package:
sudo apt install fail2ban -y
Step 2 – Start and Enable Fail2ban Service on Debian 12
When your installation is completed, you must start and enable your Fail2ban service by using the command below:
sudo systemctl enable fail2ban --now
Verify your Fail2ban service is active and running on Debian 12:
sudo systemctl status fail2ban
Output ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: ena> Active: active (running) since Sun 2023-10-08 02:52:56 EDT; 1min 39s ago Docs: man:fail2ban(1) Main PID: 49756 (fail2ban-server) Tasks: 5 (limit: 4653) Memory: 19.1M CPU: 414ms CGroup: /system.slice/fail2ban.service └─49756 /usr/bin/python3 /usr/bin/fail2ban-server -xf start ...
Step 3 – Fail2ban Configuration Setup on Debian 12
At this point, you need to make some Fail2ban configuration setup on your server. You can follow the steps below to start your configuration changes.
Where is Fail2ban Configuration Files?
Fail2ban has two configuration files. They are located in the following directories:
Important Note: Do Not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.
To make your configuration changes, you need to create a backup file.
Create a Copy of the Fail2ban Config File
As we said, you must create a copy of the file. To do this, you can run the command below:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then, you can verify your copied file exists in the /etc/fail2ban directory:
sudo vi /etc/fail2ban/jail.local
Configure White list IP Addresses in Fail2ban
IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.
At this point, you should add your local PC IP address and all other machines that you want to white list.
Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 184.108.40.206 192.168.1.0/24
Bantime Configuration in Fail2ban
At this point, find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:
bantime = 1d
To permanently ban the IP, you can use a negative number.
The findtime is the duration between the number of failures before a ban is set.
The maxretry is the number of failures before an IP is banned. The default value is set to 5, which should be fine for most users.
Email Configuration in Fail2ban
Fail2ban can send email alerts when an IP has been banned on Debian 12 Bookworm.
To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:
action = %(action_mw)s
If you want to receive the relevant logs too, you should set this to the following:
action = %(action_mwl)s
Also, you can adjust the sending and receive email addresses:
destemail = [email protected] sender = [email protected]
Fail2ban Jails Configuration
Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.
By default, only the SSH jail is enabled.
You can also create your own jail configurations. To enable a jail, you need to add enabled = true after the jail title.
For example, to enable the postfix jail you can do this:
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
When you are done, save and close the file.
Finally, restart Fail2ban on Debian 12 with the following command to apply these changes:
sudo systemctl restart fail2ban
Step 4 – Fail2ban Command Line Utility on Debian 12 Bookworm
At this point, you can use the Fail2ban command line utility which is fail2ban-client to interact with the service.
To list all available options from the command line, you can run the command below:
Output Usage: fail2ban-client [OPTIONS] <COMMAND> Fail2Ban v1.0.2 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Options: -c, --conf <DIR> configuration directory -s, --socket <FILE> socket path -p, --pidfile <FILE> pidfile path --pname <NAME> name of the process (main thread) to identify instance (default fail2ban-server) --loglevel <LEVEL> logging level --logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout. --syslogsocket auto|<FILE> -d dump configuration. For debugging --dp, --dump-pretty dump the configuration using more human readable representation -t, --test test configuration (can be also specified with start parameters) -i interactive mode -v increase verbosity -q decrease verbosity -x force execution of the server (remove socket file) -b start server in background (default) -f start server in foreground ...
Step 5 – Examples of using Fail2ban from Debian 12 Command Line
This tool can be used to ban/unban IP addresses, change settings, restart the service and more. Here we provide a few examples.
To check the status of jail you can use the following command:
sudo fail2ban-client status sshd
Also, you can unban an IP with the following command:
sudo fail2ban-client set sshd unbanip 220.127.116.11
To ban an IP you can use the following command:
sudo fail2ban-client set sshd banip 18.104.22.168
For more information, you can visit the Fail2ban Wiki page.
Step 6 – Uninstall and Remove Fail2ban
If you don’t want to use Fail2ban anymore, you can easily disable it with the command below:
sudo systemctl disable fail2ban --now
Then, remove the Fail2ban with the command below:
sudo apt autoremove fail2ban --purge -y
At this point, you have learned to finish the Fail2ban installation on Debian 12 Bookowrm, start your configuration setup, and use it from the command line by its utility named fail2ban-client. Hope you enjoy using it.
You may be interested in these articles: