Set up and Configure Fail2ban on Debian 11

In this article, we want to teach you How To Set up and Configure Fail2ban on Debian 11.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It is written in the Python programming language.

Also, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally.

How To Set up and Configure Fail2ban on Debian 11

To install Fail2ban on your Debian 11, you need to log in to your server as a non-root user with sudo privileges. To do this, you can follow the Initial Server Setup with Debian 11.

Now follow the steps below to install Fail2ban on Debian 11.

Install Fail2ban on Debian 11

By default, the Fail2ban package is available in the default Debian repository.

First, update your local package index with the following command:

sudo apt update

Then, use the following command to install Fail2ban on Debian 11:

sudo apt install fail2ban

The Fail2ban service will start automatically after your installation is completed. To verify that was successfully installed and active on your server, run the following command:

sudo systemctl status fail2ban

In your output you will see:

Output
fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor pres>
Active: active (running) since Tue 2021-11-30 03:28:38 EST; 1min 29s ago
Docs: man:fail2ban(1)
Process: 986 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=>
Main PID: 987 (fail2ban-server)
Tasks: 5 (limit: 2340)
Memory: 18.5M
CPU: 387ms
CGroup: /system.slice/fail2ban.service
└─987 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Now that you have Fail2ban active on your Debian 11. Let’s see how to configure it.

Configure Fail2ban on Debian 11

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf.

You need to create a “.local” configuration file from the default “jail.conf” file.

First copy the configuration file with the following command:

sudo cp /etc/fail2ban/jail.{conf,local}

Then, open the local configuration file with your favorite text editor here we use vi:

sudo vi /etc/fail2ban/jail.local

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive.

At this point, you should add your local PC IP address and all other machines that you want to whitelist.

Find the “ignoreip” line and uncomment it by removing the hashtag from it and adding your IP addresses separated by space:

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Now find the “bantime” line, the duration for which the IP is banned, by default, it is set to 10m. You can change the value to your liking:

bantime = 1d

To permanently ban the IP, you can use a negative number.

The maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

Fail2ban can send email alerts when an IP has been banned on Debian 11.

To receive email messages, you need to have an SMTP installed on your server and change the default action. It only bans the IP to this:

action = %(action_mw)s

If you want to receive the relevant logs too, you should set this to the:

action = %(action_mwl)s

Also, you can adjust the sending and receive email addresses:

destemail = [email protected]
sender = [email protected]

Fail2ban jails

Fail2ban uses the concept of jails. A jail describes a service and includes filters and actions.

By default, only the ssh jail is enabled.

You can also create your own jail configurations. To enable a jail, you need to add enabled = true after the jail title.

For example, to enable the postfix jail you can do this:

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

When you are done, save and close the file.

Now restart Fail2ban on Debian 11 with the following command to apply these changes:

sudo systemctl restart fail2ban

Let’s see how to use Fail2ban.

How To Use Fail2ban

Fail2ban comes with a command-line tool named fail2ban-client. You can use this command to interact with the Fail2ban service.

You can list all available options with the following command:

fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

To check the status of jail you can use the following command:

sudo fail2ban-client status sshd

Also, you can unban an IP with the following command:

sudo fail2ban-client set sshd unbanip 23.34.45.56

To ban an IP you can use the following command:

sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion 

At this point, you learn to Install and Configure Fail2ban on Debian 11. Also, you learn to use the Fail2ban service.

Hope you enjoy it.

May you will be interested in this article about Install and Configure Fail2ban on AlmaLinux 8.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular