Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more.
Update your server.
apt update && apt full-upgrade
apt install fail2ban -y
After successful installation, the Fail2ban service should start automatically. You can verify this by running the command:
systemctl status fail2ban
If the service is not active on your system, then you can use the following commands to starts and enable it:
systemctl start fail2ban systemctl enable fail2ban
Lastly, verify the version and build of fail2ban:
After completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.
Now let’s setup copies ending in .local instead of .conf as Fail2ban will always read .local files first before loading .conf if it cannot find one.
To do this, use the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now open the configuration file to proceed with configuring:
Some items to mofify.
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... bantime.increment = true
Whitelist IPs in Fail2ban
ignoreip = 127.0.0.1/8 ::1 22.214.171.124 (example IP address)
Default Ban Time Set-Up
E-Mail set up with Fail2ban
Note, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:
mta = sendmail
mail = sendmail
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations. By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the postfix jail.
[postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log
The settings we discussed in the previous section, can be set per jail. Here is an example:
[sshd] enabled = true maxretry = 3 findtime = 1d bantime = 4w ignoreip = 127.0.0.1/8 126.96.36.199
The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.
Each time the configuration file is modified, the Fail2ban service must be restarted for changes to take effect:
sudo systemctl restart fail2ban
Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.
To view all available options, invoke the command with the -h option:
This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:
Get the current status of the server:
Check the jail status:
fail2ban-client status sshd Unban an IP: sudo fail2ban-client set sshd unbanip 188.8.131.52
Ban an IP:
sudo fail2ban-client set sshd banip 184.108.40.206