Vicente Muñoz 💻

FAIL2BAN

Fail2ban is an application written in Python to prevent system intrusions, which penalizes or blocks remote connections that attempt brute force access.

Fail2ban


Fail2ban is a popular open-source software tool designed to enhance server security by preventing malicious attacks on services that are accessible over the internet, such as SSH (Secure Shell) and web servers. It works by monitoring log files for specific patterns that indicate suspicious or repeated failed login attempts, and then taking action to block the IP addresses of the originating attackers.


When Fail2ban detects a certain number of failed login attempts from an IP address within a specified time frame, it automatically adds a temporary firewall rule to block that IP address. This proactive approach helps protect servers from brute-force attacks and other unauthorized access attempts.

Fail2ban is highly customizable, allowing system administrators to define their own filters and actions. It provides an effective and straightforward solution for maintaining server security and mitigating potential threats.


Install (Debian 11)


upgrade installed packages to their latest versions:


  sudo apt update && upgrade


Install fail2ban:


  sudo apt install fail2ban


Run fail2ban:


  sudo systemctl start fail2ban


Configure Fail2ban to start when the instance comes online:


  sudo systemctl enable fail2ban


To change the default ban settings for all services, make a copy of the jail.conf file:


  cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local


There is an /etc/fail2ban/jail.d/ folder for managing active rules. You can create a separate file for each of them.


create your custom rule (Example for SSH):


  sudo nano /etc/fail2ban/jail.d/ssh.local



  [sshd]
  enabled = true
  port = ssh
  filter = sshd
  logpath = /var/log/auth_ssh.log
  maxretry = 5
  bantime = 3600



bantime: Set the amount of time an IP is banned if detected as malicious.

maxretry. The max amount of attempts a user can try logging in to the machine until the attacker's IP is banned.

ignoreip: Trusted networks. All networks listed will bypass all filters in Fail2ban.

enabled: Lets Fail2ban acknowledge if you want this Jail to be enabled or disabled.

port: Specify the port for the Jail.


After configuring Fail2ban, restart the Fail2ban service for your changes to take effect on your machine:


  sudo systemctl restart fail2ban