This article is outdated and may not work correctly for current operating systems or software.
Fail2ban, as its name suggests, is a utility designed to help protect Linux machines from brute-force attacks on select open ports, especially the SSH port. For the sake of system functionality and management, these ports cannot be closed using a firewall. Under this circumstance, it's a good idea to use Fail2ban as a supplementary security measure to a firewall to restrict brute-force attack traffic on these ports.
In this article, I will show you how to install and configure Fail2ban to protect the SSH port, the most common attack target, on a Vultr Debian 9 server instance.
A fresh Debian 9 (Stretch) x64 server instance.
Logged in as
All unused ports have been blocked with proper IPTables rules.
apt update && apt upgrade -y shutdown -r now
After the system boots up, log back in as
Since the default SSH port number
22 is too popular to ignore, changing it to a lesser-known port number, say
38752 would be a smart decision.
sed -i "s/#Port 22/Port 38752/g" /etc/ssh/sshd_config systemctl restart sshd.service
After the modification, you need to update IPTables rules accordingly:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -p tcp --dport 38752 -j ACCEPT
Save the updated IPTables rules to a file for persistence purposes:
iptables-save > /etc/iptables.up.rules touch /etc/network/if-pre-up.d/iptables chmod +x /etc/network/if-pre-up.d/iptables echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables
In this fashion, IPTables rules will be persistent even after a system reboot. From now on, you will need to log in from the
apt to install the stable version of Fail2ban which is currently
apt install fail2ban -y
After the installation, the Fail2ban service will start automatically. You can use the following command to show its status:
service fail2ban status
On Debian, the default Fail2ban filter settings will be stored in both the
/etc/fail2ban/jail.conf file and the
/etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one.
Use the following commands to view more details:
cat /etc/fail2ban/jail.conf | less cat /etc/fail2ban/jail.d/defaults-debian.conf fail2ban-client status fail2ban-client status sshd
For your information, code excerpts about SSH are listed below:
[DEFAULT] bantime = 600 ... maxretry = 5 [sshd] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
[sshd] enabled = true
Since the contents in the two config files above might change in future system updates, you should create a local config file to store your own fail2ban filter rules. Again, the settings in this file will override corresponding settings in the two files mentioned above.
Input the following lines:
[sshd] port = 38752 maxretry = 3
Note: Be sure to use your own SSH port. Except for
maxretry mentioned above, all other settings will use the default values.
Save and quit:
Restart the Fail2ban service in order to load the new configuration:
service fail2ban restart
Our setup is complete. From now on, if any machine sends incorrect SSH credentials to the Debian server's custom SSH port (
38752) more than three times, the IP of this potentially malicious machine will be banned for 600 seconds.