Fail2Ban is a free, open-source, and very useful Python-based software to stop irregular server attacks and prevent intrusion into your system. The software scans the log files of the operating system and blocks the IP of attackers who have repeatedly tried to enter the server. In this article, we are going to teach you about Tutorial Setup Fail2ban on Debian 10, 9. It should note that you can visit the packages available in Eldernode if you want to buy a Linux VPS server.
Table of Contents
How to Setup Fail2ban on Debian 10 step by step
File2Ban blocks IPs that are suspecting of having or performing malicious activity by scanning log files. For example, multiple passwords, incorrect passwords, or attempts to exploit others. File2Ban generally tries to update firewall rules to block these IP addresses for a specified period of time.
Most Linux servers use port 22 to access the server command line console called ssh. This port is a known port, so it is often attacked. Fail2ban is software that scans log files for live logging attempts and blocks and blocks an attacker’s IP with Firewalld or Iptables security firewall. This tool Setup unwanted access or security attempts to the server at command time and displays IP addresses that indicate signs of a brute force attack.
In the continuation of this article, join us to teach you how to install Fail2ban on Debian 10.
Introducing Fail2ban [Complete]
Fail2ban is a software service written with Python that acts as a protection. This service protects the servers against a series of brute-force attacks. The job of these attacks is to act on trial and error, infiltrating servers and stealing users’ information.
There are a number of bots that do this automatically. This bot automatically starts sending login requests one after the other. In fact, these requests are a kind of guessing in order to be able to match the information requesting by the server with its own guesses and get the information!
Fail2ban can even prevent DDOS attacks. For example, if the number of HTTP requests exceeds a certain IP by a certain IP, it will start banning requesting IPs that have exceeded a set limit.
You might say that securing websites and applications with software firewalls and restricting access is good, so why use Fail2ban? In response, we must say that this is just the beginning to secure your systems and websites, and any service that has a public login system and asks for a username and password certainly has the potential to attract such attacks. So you have to prepare and in this way, fail2ban as a free/open-source program that is light and simple can help you a lot.
How Fail2ban works
As the name of this service suggests, Fail to be banned. For example, suppose a user wants to log in and repeatedly enters his username with several different passwords 5 times in 30 minutes. fail2ban quickly blocks that user from accessing the site in the first step for a period of time that you (as an Admin) can define. So that user can not even try his username and password.
Even if a user wants to do something suspicious and login and logout more than 10 times in an hour, for example, these rules can be included. As we explained, brute-force attacks are the same. In fact, if a bot wants to keep trying, it is easily banning and can no longer use that particular IP.
If a user tries to log in and can not, there will definitely be a log for him. According to the same log file, fail2ban can check them and if it was suspicious, after a few unsuccessful attempts, it will ban the user or bot or whoever it is based on the IP, and its access will be cut off. If it repeats more, it can be banned forever.
Install Fail2ban on Debian 10 | Debian 9
Now we want to discuss how to install Fail2ban on Debian 10. To install Fail2ban on Debian 10, just follow the steps below. The first step is to update the system using the following commands:
sudo apt update
sudo apt upgrade
You can now install Fail2ban by running the following command:
sudo apt install fail2ban
After you have successfully installed Fail2ban, you can now use the following command to check and confirm the status of the service:
sudo systemctl status fail2ban
Note that the Fail2ban service starts automatically after completing the installation process.
Setup Fail2ban on Debian 10
In this step, we will get to how to set up Fail2ban on Debian. After installation, you need to copy the default jail.conf file to create the local configuration using the following command:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Then you need to open the new local configuration file for editing using the following command:
sudo nano /etc/fail2ban/jail.local
You need to enter the basic default items to ignore, which will allow you to not ban some IP addresses. Next, you need to set the setup time to determine how long an infringing host will be blocked from being blocked automatically. Finally, check the find time and maximum review time, which sets the find time window for the maximum retry time before the host IP is blocked from connecting.
[DEFAULT] ignoreip = 127.0.0.1 bantime = 3600 findtime = 600 maxretry = 3
The interesting thing is that if you have a Sendmail service configured on your cloud server, you can enable the email notifications from Fail2ban by entering your email address to the parameter Destemail and changing the action = %(action_)s to action = %(action_mw)s.
Once you’ve done the basic configurations, check the different jails available in the configuration options. Jails are the rules which fail2ban applies to any given application or log file. SSH jail settings, which you can find at the top of the jails list, are enabling by default:
[sshd] enabled = true
Save the configuration file and exit it. Then restart the system once using the following command:
sudo service fail2ban restart
Now you can check your iptable rules for the newly added jail sections on each of the application modules you enabled:
sudo iptables -L
Finally, you can manually disable and disable IP addresses using the following commands:
sudo fail2ban-client set <jail> banip/unbanip <ip address>
Now you can start Fail2ban using the following command:
sudo systemctl start fail2ban
It should also note that you can refer to the article How to use Fail2ban to secure Linux Server after installing Fail2ban.
Fail2ban is an intrusion prevention framework that works with a closed control system or firewall installed on your server. It is usually using to prevent attempts to connect after several unsuccessful attempts. In this article, we tried to teach you how to Setup Fail2ban on Debian 10. You can read our articles on how to install Fail2ban on Fedora 33 and CentOS 8 if you wish.