Setting up fail2ban
on Debian is an effective way to protect your server from brute-force attacks by banning IP addresses that show malicious signs, such as repeated failed login attempts. Here’s a step-by-step guide on how to set it up:
Step 1: Install fail2ban
- Update your package index:
sudo apt update
- Install
fail2ban
:
sudo apt install fail2ban
Step 2: Configure fail2ban
After installing fail2ban
, you need to configure it to protect your services, such as SSH. You will be editing configuration files located in /etc/fail2ban
.
- Copy the default configuration file for local use:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Edit the
jail.local
file:
Open the configuration file in a text editor:
sudo nano /etc/fail2ban/jail.local
- Configure basic settings:
Look for the[DEFAULT]
section and modify the following options:
- Ban Time: The duration of the ban (e.g., 10 minutes).
bantime = 10m
- Find Time: The duration within which the number of failed attempts is checked (e.g., 10 minutes).
findtime = 10m
- Max Retry: The number of failed attempts allowed before a ban is applied.
maxretry = 5
- Unban Time (optional): If you want the ban to last indefinitely, use:
bantime = -1
- Enable SSH protection: Look for the
[sshd]
section and make sure it is enabled by setting:
[sshd]
enabled = true
- Whitelist trusted IP addresses (optional):
If you have specific IPs or IP ranges you want to whitelist (e.g., your office or home IP), add them to theignoreip
directive under the[DEFAULT]
section:
ignoreip = 127.0.0.1/8 ::1 <your IP here>
- Additional jail configurations:
fail2ban
comes with pre-configured jails for various services such as Nginx, Postfix, Dovecot, etc. If you want to protect these services, find the relevant section injail.local
, and setenabled = true
for the ones you wish to protect.
Step 3: Start and Enable fail2ban
Once your configuration is ready, start and enable fail2ban
:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Step 4: Verify fail2ban
Status
To check the status of fail2ban
and ensure it is running correctly:
sudo systemctl status fail2ban
You can also check the status of a specific jail, like the SSH jail:
sudo fail2ban-client status sshd
This will show the currently active jails, banned IPs, and other information.
Step 5: Monitor Logs
fail2ban
logs all its actions in the log file /var/log/fail2ban.log
. You can monitor this file to ensure fail2ban
is working as expected:
sudo tail -f /var/log/fail2ban.log
Step 6: Unban an IP (if needed)
If you accidentally ban your own IP or another trusted IP, you can unban it using the following command:
sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
This setup should provide basic protection for your server from brute-force attacks. You can expand the protection by configuring more jails for additional services based on your server’s needs.
If you encounter fail2ban
errors during startup, here are a few steps to troubleshoot.
Step 1: Check the Fail2Ban Logs
The logs usually provide more specific information about what went wrong. Check the logs using:
sudo cat /var/log/fail2ban.log
Look for any errors or misconfigurations mentioned in the log file.
Step 2: Validate the Configuration
If the log shows a configuration error, you may have a syntax issue in your jail.local
or other configuration files.
You can validate the configuration with the following command:
sudo fail2ban-client -d
This command will display potential errors in your configuration.
Step 3: Review the Configuration Files
Open your configuration files and check for typos or syntax errors. For example:
sudo nano /etc/fail2ban/jail.local
Ensure all values and syntax are correct, especially for any lines you may have customized. Double-check indentation and comments.
Step 4: Restart the Service
After correcting any configuration issues, restart the fail2ban
service:
sudo systemctl restart fail2ban
Then check its status again:
sudo systemctl status fail2ban
Step 5: Test Fail2Ban
After the service is running, confirm that it is functioning correctly:
sudo fail2ban-client status
This command should return the active jails and their status.
If you continue to encounter issues, you can share the relevant portions of the log file or the configuration file to diagnose further.
In addition, if you want to disable sshd
from listening on IPv4 in Debian, you need to modify the SSH server configuration file (/etc/ssh/sshd_config
). Follow these steps:
- Edit the
sshd_config
file:
sudo nano /etc/ssh/sshd_config
- Find the
ListenAddress
directives in the file. By default, SSH listens on all available network interfaces and IP addresses. To restrict it to only IPv6, you will need to add or modify aListenAddress
directive to only listen on IPv6. - Set SSH to listen only on IPv6:
Add the following line to specify that SSH should only listen to IPv6 addresses:
ListenAddress ::
This line tells sshd
to listen on all available IPv6 addresses.
- Save and exit the file by pressing
Ctrl+X
, thenY
, andEnter
. - Restart the SSH service to apply the changes:
sudo systemctl restart sshd
This will prevent SSH from listening on IPv4 addresses while still allowing connections over IPv6. You can confirm this by running the following command:
sudo ss -tuln | grep ssh
You should see that SSH is only listening on IPv6 (::
) and not on any IPv4 addresses.
To allow both inbound and outbound traffic for TCP port 4662 and UDP port 4672 using ufw
, you can use the following commands:
- Allow inbound and outbound TCP traffic on port 4662:
sudo ufw allow 4662/tcp
- Allow inbound and outbound UDP traffic on port 4672:
sudo ufw allow 4672/udp
These commands will enable both inbound and outbound traffic for the specified ports. You can verify the rules with:
sudo ufw status
This will show you the list of active rules in your ufw
configuration.