Every server which is accessible from the Internet is at great risk of brute-force and malware attacks. Hackers try to use brute-force attempts to get access to applications that are accessible on public networks.
Fail2ban is a tool that is used to protect Linux-based machines from automated attacks by improving their security. It monitors the logs for any malicious activity and allows the user to temporarily or permanently block remote IP addresses
This how-to guide will explain how to install, configure and set up Fail2ban on a Debian 11 based system.
How to install Fail2ban on Debian 11
Fail2ban is available in the default repository of Debian 11, so it can easily be installed by using the default package manager of Debian:
sudo apt install fail2ban -y
After successful installation, the Fail2ban service should start automatically. You can verify this by running the command:
sudo systemctl status fail2ban
If the service is not active on your system, then you can use the following commands to starts and enable it:
sudo systemctl start fail2ban
ssudo systemctl enable fail2ban
How to configure Fail2ban on Debian 11
Fail2ban comes with two different configuration files which are located in the /etc/fail2ban directory. These config files have a basic configuration that should not be modified as these files may be overwritten when a package update arrives.
We can use a separate .local file as a configuration file to avoid any future hassle. So we will make a local config file by copying the jail.conf file:
sudo cp /etc/fail2ban/jail.{conf,local}
Now, open the newly created file in a text editor:
sudo nano /etc/fail2ban/jail.local
Here you can update the settings according to your needs. You can add an ignoreip directive to ignore/whitelist IP addresses from ban. Here I have listed two different IP addresses as examples. You can put any IP address that you want to whitelist:
ignoreip = 127.0.0.15/8 192.168.1.2/24
The bantime directive can be used to set a duration of time for which an IP address will remain banned. We can use a suffix like m,d to specify the unit of time which by default is in seconds.
bantime = 120m
The findtime directive specifies the duration of time for the number of failures before a ban is placed. If Fail2ban is going to ban an IP after 4 failed attempts, the findtime directive defines the time interval in which the failures must occur.
findtime = 2m
The maxretry is used to define the number of failed attempts before an IP gets blacklisted.
maxretry = 5
After making all the necessary changes, you can simply just save and save the config file.
Now restart the service to let the changes take effect:
sudo systemctl restart fail2ban.service
Conclusion
Fail2ban allows us to configure our system in a way that it becomes more secure against brute attacks as well as other malicious activities. It protects our system by checking the logs and blacklisting IP addresses that are suspicious. These security measures are essential, especially for systems that are accessible on public networks. In this article, we learned to install, configure and set up Fail2ban on Debian 11.