Fail2ban is an intrusion prevention framework, which works together with a firewall installed on your server
It operates by monitoring log files for certain types of entries and runs predetermined actions based on its findings
$ apt install fail2ban
Now create a copy of the default configuration file
$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the jail.local file
$ pico /etc/fail2ban/jail.local
Find the [sshd] section under # JAILS lines in the jail.local file and make sure the following configuration is set
[sshd]
backend=systemd
enabled = true
filter = sshd
port = ssh
logpath = %(sshd_log)s
maxretry = 3
Check also ignorself and ignoreip
ignoreself = true
Here you can add your servers and our own ip numbers
ignoreip = 127.0.0.1/8 ::1
ignoreip = 127.0.0.1/8 ::1 192.168.178.11 192.168.178.33
You can also change
#bantime = 10m
# to
# bantime: 1 year
bantime = 31536000
#findtime = 10m
# to
# findtime: 1 day
findtime = 86400
#maxretry = 5
# to
maxretry = 3
Under section ACTIONS you can change
# Destination email address ....
#destemail = root@localhost
# to
destemail = your@mail.com
# Sender email address used solely for some actions
#sender = root@<fq-hostname>
sender = your@mail.com
#mta = sendmail
mta = mail
banaction = iptables-multiport
banaction_allports = iptables-allports
and check
[exim]
backend=systemd
enabled = true
filter = exim
port = smtp,465,submission
logpath = %(exim_main_log)s
[apache-badbots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
And add the following configuration to it.
[pure-ftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
maxretry = 3
[dovecot]
backend=systemd
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
maxretry = 3
[postfix]
backend=systemd
enabled = true
mode = more
filter = postfix
port = smtp,465,ssmtp,submission,imap,imaps,pop3,pop3s
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath = %(postfix_log)s
[postfix-sasl]
backend=systemd
enabled = true
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s
[roundcube-auth]
enabled = true
filter = roundcube-auth
action = nftables[type=multiport, name=RC, port="80,443"]
sendmail-whois-lines[name=RC, logpath="%(logpath)s"]
logpath = /var/log/apache2/roundcube_error.log
maxretry = 4
Close file and restart fail2ban
$ systemctl restart fail2ban
of
$ /etc/init.d/fail2ban restart
If not running start Fail2ban with command
$ systemctl start fail2ban
# of
$ fail2ban-client start
To stop Fail2ban use
$ fail2ban-client stop
You can check Fail2ban current status with command
$ stemctl status fail2ban
and configure Fail2ban to start when the instance comes online
$ systemctl enable fail2ban
To get rid of WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Edit /etc/fail2ban/fail2ban.conf file. Under [DEFAULT] enable <allowipv6 = auto> or if you don't use <allowipv6 = no>
$ pico /etc/fail2ban/fail2ban.conf
[DEFAULT]
#allowipv6 = auto
allowipv6 = no
Ban / Unban IP manually
To see Jail list use;
$ fail2ban-client status
Output:
Status
|- Number of jail: 8
`- Jail list: apache-badbots, apache-fakegooglebot, dovecot, exim, postfix, postfix-sasl, roundcube-auth, sshd
then you can check
$ fail2ban-client status sshd
Output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
BanIP <fail2ban-client set jail_name banip xx.xx.xx.xx>
$ fail2ban-client set sshd banip 192.168.33.21
to see banned IP numbers use:
$ fail2ban-client banned
Output:
['sshd': ['192.168.33.21'], 'apache-badbots': [], 'apache-fakegooglebot': [], 'roundcube-auth': [], 'postfix': [], 'dovecot': [], 'exim': [], 'postfix-sasl': []]
UnbanIP <fail2ban-client set jail_name unbanip xx.xx.xx.xx>
$ fail2ban-client set sshd unbanip 192.168.33.21
Previous page: Install Debian 12 (bookworm)
Next page: Installation of IPTables Debian 12