Install Fail2ban on Debian 12

Fail2ban is an intrusion prevention framework, which works together with a firewall installed on your server
It operates by monitoring log files for certain types of entries and runs predetermined actions based on its findings

$ apt install fail2ban


Now create a copy of the default configuration file

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the jail.local file

$ pico /etc/fail2ban/jail.local

Find the [sshd] section  under # JAILS lines in the jail.local file and make sure the following configuration is set 

[sshd]
backend=systemd
enabled = true
filter = sshd
port    = ssh
logpath = %(sshd_log)s
maxretry = 3

Check also ignorself and ignoreip

ignoreself = true

Here you can add your servers and our own ip numbers

ignoreip = 127.0.0.1/8 ::1 
ignoreip = 127.0.0.1/8 ::1 192.168.178.11 192.168.178.33

You can also change 

#bantime  = 10m
# to 
# bantime: 1 year
bantime = 31536000

#findtime  = 10m
# to
# findtime: 1 day
findtime = 86400

#maxretry = 5
# to 
maxretry = 3

Under section ACTIONS you can change 

# Destination email address ....
#destemail = root@localhost
# to
destemail = your@mail.com

# Sender email address used solely for some actions
#sender = root@<fq-hostname>
sender = your@mail.com

#mta = sendmail
mta = mail

banaction = iptables-multiport
banaction_allports = iptables-allports

and check 

[exim]
backend=systemd
enabled = true
filter = exim
port   = smtp,465,submission
logpath = %(exim_main_log)s

 

[apache-badbots]
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

 
And add the following configuration to it.

[pure-ftpd]
enabled = true
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(pureftpd_log)s
backend  = %(pureftpd_backend)s
maxretry = 3

 

[dovecot]
backend=systemd
enabled = true
port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
maxretry = 3

 

[postfix]
backend=systemd
enabled = true
mode    = more
filter   = postfix
port     = smtp,465,ssmtp,submission,imap,imaps,pop3,pop3s
failregex = \[<HOST>]: 535 Incorrect authentication data
logpath  = %(postfix_log)s

 

[postfix-sasl]
backend=systemd
enabled = true
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s

 

[roundcube-auth]
enabled  = true
filter   = roundcube-auth
action   = nftables[type=multiport, name=RC, port="80,443"]
           sendmail-whois-lines[name=RC, logpath="%(logpath)s"]
logpath  = /var/log/apache2/roundcube_error.log
maxretry = 4

Close file and restart fail2ban

$  systemctl restart fail2ban

of

$ /etc/init.d/fail2ban restart

 

If not running start Fail2ban with command 

 $ systemctl start fail2ban
 # of
 $ fail2ban-client start

To stop Fail2ban use

 $ fail2ban-client stop


You can check Fail2ban current status with command

 $ stemctl status fail2ban

and configure Fail2ban to start when the instance comes online

 $ systemctl enable fail2ban

 

To get rid of  WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'

Edit /etc/fail2ban/fail2ban.conf file. Under [DEFAULT] enable <allowipv6 = auto> or if you don't use <allowipv6 = no>

$ pico /etc/fail2ban/fail2ban.conf
[DEFAULT]
#allowipv6 = auto
allowipv6 = no


Ban / Unban IP manually
To see Jail list use;

$ fail2ban-client status

Output:

Status
|- Number of jail:      8
`- Jail list:   apache-badbots, apache-fakegooglebot, dovecot, exim, postfix, postfix-sasl, roundcube-auth, sshd

then you can check

$ fail2ban-client status sshd

Output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:


BanIP <fail2ban-client set jail_name banip xx.xx.xx.xx>

$ fail2ban-client set sshd banip 192.168.33.21

to see banned IP numbers use:

$ fail2ban-client banned

Output:

['sshd': ['192.168.33.21'], 'apache-badbots': [], 'apache-fakegooglebot': [], 'roundcube-auth': [], 'postfix': [], 'dovecot': [], 'exim': [], 'postfix-sasl': []]

UnbanIP <fail2ban-client set jail_name unbanip xx.xx.xx.xx>

$ fail2ban-client set sshd unbanip 192.168.33.21