What is Fail2Ban?
Fail2Ban is a application that runs as a service on your Linux system. Fail2Ban monitors your Linux system for malicious activity like brute force login attempts. In this day and age the internet is scanned in it’s entirety quite often. It is not uncommon to expose a new Linux installation to the internet and start getting login attempts within minutes. These bots as they are called attempt logins at a predefined rate until they are successful, or they are blocked. Fail2Ban can monitor SSH and many more services. Those attempts can be jailed for an amount of time, or permanently.
- A Debian 9 (stretch) installation
- Logged in as root, or preface all commands with sudo
- An idea of how long you want your ban and retry settings
Step1: Update your installation
We will update apt and upgrade any packages, first things first.
Step 2: Install Fail2ban
Step 3: Tweak your configuration
/etc/fail2ban/jail.conf you will find these settings you will need to tweak to your needs.
Lets talk about these settings for a minute.
bantime – This is how long a server is banned in seconds. Personally I up this number greatly. I do not want bots bombarding my server. Once they get banned, personally I would rather just let them stay banned.
findtime – This one may be okay for default, or you may want to up it some. Bots know the defaults, so they like to slow their attempts to match these settings, hoping to get by the fail2ban defaults.
maxretry – Remember, this is the number of retries within the findtime, so the default is 5 tries in 10 minutes.
For more detail on the settings, there is a good article here on blocking persistent threats.
Step 4: Restart fail2ban
You can also check the status at anytime with the status command