Install and Configure fail2ban on Debian 11

Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more.

Update your server.

apt update && apt full-upgrade

Install fail2ban

apt install fail2ban -y  

After successful installation, the Fail2ban service should start automatically. You can verify this by running the command:

systemctl status fail2ban 

If the service is not active on your system, then you can use the following commands to starts and enable it:

systemctl start fail2ban 
systemctl enable fail2ban 

Lastly, verify the version and build of fail2ban:

fail2ban-client --version

Output:

Fail2Ban v0.11.2

After completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

Now let’s setup copies ending in .local instead of .conf as Fail2ban will always read .local files first before loading .conf if it cannot find one.

To do this, use the following command:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open the configuration file to proceed with configuring:

nano /etc/fail2ban/jail.local

Some items to mofify.
Bantime Increment

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

Whitelist IPs in Fail2ban

ignoreip = 127.0.0.1/8 ::1 192.167.5.5 (example IP address)

Default Ban Time Set-Up
E-Mail set up with Fail2ban

Note, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:

Change from:

mta = sendmail

Change to:

mail = sendmail

Fail2ban Jails
Fail2ban ships with a number of jail for different services. You can also create your own jail configurations. By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the postfix jail.

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

The settings we discussed in the previous section, can be set per jail. Here is an example:
/etc/fail2ban/jail.local

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 11.22.33.44

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with the same name as the jail. If you have a custom setup and experience with regular expressions, you can fine-tune the filters.

Each time the configuration file is modified, the Fail2ban service must be restarted for changes to take effect:

sudo systemctl restart fail2ban

Fail2ban Client

Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.

To view all available options, invoke the command with the -h option:

fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

Get the current status of the server:

fail2ban-client status

Check the jail status:

fail2ban-client status sshd

Unban an IP:

sudo fail2ban-client set sshd unbanip 11.22.33.44

Ban an IP:

sudo fail2ban-client set sshd banip 11.22.33.44