Learn How To Setup Fail2ban on Debian 9
Table of Contents
- Step 1: Update the system
- Step 2: Modify the SSH port (Optional)
- Step 3: Install and configure fail2ban to protect SSH
Fail2ban, as its name suggests, is a utility designed to help protect Linux machines from brute-force attacks on select open ports, especially the SSH port. For the sake of system functionality and management, these ports cannot be closed using a firewall. Under this circumstance, it’s a good idea to use Fail2ban as a supplementary security measure to a firewall to restrict brute-force attack traffic on these ports.
In this article, I will show you how to install and configure Fail2ban to protect the SSH port, the most common attack target, on An ITWeb.Services Debian 9 server instance.
- A fresh Debian 9 (Stretch) x64 server instance.
- Logged in as
- All unused ports have been blocked with proper IPTables rules.
Step 1: Update the system
apt update && apt upgrade -y shutdown -r now
After the system boots up, log back in as
Step 2: Modify the SSH port (Optional)
Since the default SSH port number
22 is too popular to ignore, changing it to a lesser-known port number, say
38752 would be a smart decision.
sed -i "s/#Port 22/Port 38752/g" /etc/ssh/sshd_config systemctl restart sshd.service
After the modification, you need to update IPTables rules accordingly:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -p tcp --dport 38752 -j ACCEPT
Save the updated IPTables rules to a file for persistence purposes:
iptables-save > /etc/iptables.up.rules touch /etc/network/if-pre-up.d/iptables chmod +x /etc/network/if-pre-up.d/iptables echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables
In this fashion, IPTables rules will be persistent even after a system reboot. From now on, you will need to log in from the
Step 3: Install and configure fail2ban to protect SSH
apt to install the stable version of Fail2ban which is currently
apt install fail2ban -y
After the installation, the Fail2ban service will start automatically. You can use the following command to show its status:
service fail2ban status
On Debian, the default Fail2ban filter settings will be stored in both the
/etc/fail2ban/jail.conf file and the
/etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one.
Use the following commands to view more details:
cat /etc/fail2ban/jail.conf | less cat /etc/fail2ban/jail.d/defaults-debian.conf fail2ban-client status fail2ban-client status sshd
For your information, code excerpts about SSH are listed below:
[DEFAULT] bantime = 600 ... maxentry = 5 [sshd] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
[sshd] enabled = true
Since the contents in the two config files above might change in future system updates, you should create a local config file to store your own fail2ban filter rules. Again, the settings in this file will override corresponding settings in the two files mentioned above.
Input the following lines:
[sshd] port = 38752 maxentry = 3
Note: Be sure to use your own SSH port. Except for
maxentry mentioned above, all other settings will use the default values.
Save and quit:
Restart the Fail2ban service in order to load the new configuration:
service fail2ban restart
Our setup is complete. From now on, if any machine sends incorrect SSH credentials to the Debian server’s custom SSH port (
38752) more than three times, the IP of this potentially malicious machine will be banned for 600 seconds.
Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!