Article

Table of Contents
Theme:
Was this article helpful?
Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

How to Setup Fail2ban on Debian 9

Last Updated: Wed, Sep 13, 2017
Debian Linux Guides Server Apps
Archived content

This article is outdated and may not work correctly for current operating systems or software.

Fail2ban, as its name suggests, is a utility designed to help protect Linux machines from brute-force attacks on select open ports, especially the SSH port. For the sake of system functionality and management, these ports cannot be closed using a firewall. Under this circumstance, it's a good idea to use Fail2ban as a supplementary security measure to a firewall to restrict brute-force attack traffic on these ports.

In this article, I will show you how to install and configure Fail2ban to protect the SSH port, the most common attack target, on a Vultr Debian 9 server instance.

Prerequisites

  • A fresh Debian 9 (Stretch) x64 server instance.

  • Logged in as root.

  • All unused ports have been blocked with proper IPTables rules.

Step 1: Update the system

apt update && apt upgrade -y

shutdown -r now

After the system boots up, log back in as root.

Step 2: Modify the SSH port (Optional)

Since the default SSH port number 22 is too popular to ignore, changing it to a lesser-known port number, say 38752 would be a smart decision.

sed -i "s/#Port 22/Port 38752/g" /etc/ssh/sshd_config

systemctl restart sshd.service

After the modification, you need to update IPTables rules accordingly:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j DROP

iptables -A INPUT -p tcp --dport 38752 -j ACCEPT

Save the updated IPTables rules to a file for persistence purposes:

iptables-save > /etc/iptables.up.rules

touch /etc/network/if-pre-up.d/iptables

chmod +x /etc/network/if-pre-up.d/iptables

echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables

echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables

In this fashion, IPTables rules will be persistent even after a system reboot. From now on, you will need to log in from the 38752 port.

Step 3: Install and configure fail2ban to protect SSH

Use apt to install the stable version of Fail2ban which is currently 0.9.x:

apt install fail2ban -y

After the installation, the Fail2ban service will start automatically. You can use the following command to show its status:

service fail2ban status

On Debian, the default Fail2ban filter settings will be stored in both the /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one.

Use the following commands to view more details:

cat /etc/fail2ban/jail.conf | less

cat /etc/fail2ban/jail.d/defaults-debian.conf

fail2ban-client status

fail2ban-client status sshd

For your information, code excerpts about SSH are listed below:

In /etc/fail2ban/jail.conf:

[DEFAULT]



bantime = 600

...

maxretry = 5



[sshd]



port = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

In /etc/fail2ban/jail.d/defaults-debian.conf:

[sshd]

enabled = true

Since the contents in the two config files above might change in future system updates, you should create a local config file to store your own fail2ban filter rules. Again, the settings in this file will override corresponding settings in the two files mentioned above.

vi /etc/fail2ban/jail.d/jail-debian.local

Input the following lines:

[sshd]

port = 38752

maxretry = 3

Note: Be sure to use your own SSH port. Except for port and maxretry mentioned above, all other settings will use the default values.

Save and quit:

:wq

Restart the Fail2ban service in order to load the new configuration:

service fail2ban restart

Our setup is complete. From now on, if any machine sends incorrect SSH credentials to the Debian server's custom SSH port (38752) more than three times, the IP of this potentially malicious machine will be banned for 600 seconds.

Want to contribute?

You could earn up to $600 by adding new articles.