How to Setup Fail2ban on Debian 9 – Vultr.com

How to Setup Fail2ban on Debian 9 – Vultr.com

Fail2ban, as its name suggests, is a utility designed to help protect Linux machines from brute-force attacks on select open ports, especially the SSH port. For the sake of system functionality and management, these ports cannot be closed using a firewall. Under this circumstance, it’s a good idea to use Fail2ban as a supplementary security measure to a firewall to restrict brute-force attack traffic on these ports.

In this article, I will show you how to install and configure Fail2ban to protect the SSH port, the most common attack target, on a Vultr Debian 9 server instance.

Prerequisites

  • A fresh Debian 9 (Stretch) x64 server instance.
  • Logged in as root.
  • All unused ports have been blocked with proper IPTables rules.

Step 1: Update the system

apt update && apt upgrade -y  shutdown -r now  

After the system boots up, log back in as root.

Step 2: Modify the SSH port (Optional)

Since the default SSH port number 22 is too popular to ignore, changing it to a lesser-known port number, say 38752 would be a smart decision.

sed -i "s/#Port 22/Port 38752/g" /etc/ssh/sshd_config  systemctl restart sshd.service  

After the modification, you need to update IPTables rules accordingly:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  iptables -A INPUT -p tcp --dport 22 -j DROP  iptables -A INPUT -p tcp --dport 38752 -j ACCEPT  

Save the updated IPTables rules to a file for persistence purposes:

iptables-save > /etc/iptables.up.rules  touch /etc/network/if-pre-up.d/iptables  chmod +x /etc/network/if-pre-up.d/iptables  echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables  echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables  

In this fashion, IPTables rules will be persistent even after a system reboot. From now on, you will need to log in from the 38752 port.

Step 3: Install and configure fail2ban to protect SSH

Use apt to install the stable version of Fail2ban which is currently 0.9.x:

apt install fail2ban -y  

After the installation, the Fail2ban service will start automatically. You can use the following command to show its status:

service fail2ban status  

On Debian, the default Fail2ban filter settings will be stored in both the /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one.

Use the following commands to view more details:

cat /etc/fail2ban/jail.conf | less  cat /etc/fail2ban/jail.d/defaults-debian.conf  fail2ban-client status  fail2ban-client status sshd  

For your information, code excerpts about SSH are listed below:

In /etc/fail2ban/jail.conf:

[DEFAULT]    bantime = 600  ...  maxentry = 5    [sshd]    port = ssh  logpath = %(sshd_log)s  backend = %(sshd_backend)s  

In /etc/fail2ban/jail.d/defaults-debian.conf:

[sshd]  enabled = true  

Since the contents in the two config files above might change in future system updates, you should create a local config file to store your own fail2ban filter rules. Again, the settings in this file will override corresponding settings in the two files mentioned above.

vi /etc/fail2ban/jail.d/jail-debian.local  

Input the following lines:

[sshd]  port = 38752  maxentry = 3  

Note: Be sure to use your own SSH port. Except for port and maxentry mentioned above, all other settings will use the default values.

Save and quit:

:wq  

Restart the Fail2ban service in order to load the new configuration:

service fail2ban restart  

Our setup is complete. From now on, if any machine sends incorrect SSH credentials to the Debian server’s custom SSH port (38752) more than three times, the IP of this potentially malicious machine will be banned for 600 seconds.

Want to contribute ?

You could earn up to $300 by adding new articles