Debian

Tutorial: Protecting SSH with Fail2Ban on Debian 12

HomeDebianTutorial: Protecting SSH with Fail2Ban on Debian 12

Fail2Ban is a powerful log-parsing application that provides an additional layer of security to Linux systems, particularly those running services that interact with the internet, such as SSH (Secure Shell). Its primary goal is to monitor log files for suspicious activity and dynamically modify firewall rules to block IP addresses exhibiting malicious behavior.

In this tutorial, we will walk you through the process of installing and configuring Fail2Ban to protect your SSH service on a Debian 12 server. By following these steps, you can enhance the security of your system and mitigate the risk of unauthorized access.

Step 1: Updating the System

Before installing any new software, it’s crucial to ensure that your system is up to date. To update your Debian 12 system, run the following commands:

apt update -y
apt upgrade -y

These commands will update the package lists and upgrade any outdated packages on your system.

Step 2: Installing Fail2Ban

To install Fail2Ban on your Debian 12 server, use the following command:

apt install fail2ban -y

This command will install the Fail2Ban package along with its dependencies.

Step 3: Installing and Configuring the Firewall

A firewall is an essential component of any secure system. In this step, we will install and configure the Uncomplicated Firewall (UFW) on your Debian 12 server.

To install UFW, execute the following command:

apt install ufw -y

After the installation is complete, enable UFW using the following command:

ufw enable

By default, UFW denies all incoming connections. However, we need to allow SSH connections to our server. Execute the following command to allow SSH traffic:

ufw allow 22

Finally, reload the UFW configuration to apply the changes:

ufw reload

Step 4: Configuring Fail2Ban for SSH

Now that Fail2Ban and UFW are installed, we can proceed with configuring Fail2Ban to protect SSH on your Debian 12 server.

Start by creating a copy of the default Fail2Ban configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next, open the jail.local file in a text editor. We will use nano in this tutorial:

nano /etc/fail2ban/jail.local

Inside the jail.local file, locate the [sshd] section. This section contains the configuration settings specifically for SSH.

Ensure that the following configurations are set:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Let’s break down these configuration settings:

  • enabled: Set this to true to enable the SSH rule.
  • port: Specify the port where your SSH service is running. The default port for SSH is 22, so we will use ssh.
  • filter: Specify the filter to be used. In this case, we want to use the sshd filter.
  • logpath: Set the path to the SSH log file. On Debian 12, the default log file is located at /var/log/auth.log.
  • maxretry: Define the number of failures allowed before an IP address is banned. In this tutorial, we will set it to 3.

Save and close the file when you’re done.

Step 5: Restarting Fail2Ban

To apply the changes made to the Fail2Ban configuration, we need to restart the Fail2Ban service. Execute the following command:

systemctl restart fail2ban

This command will restart the Fail2Ban service and activate the new configuration.

Step 6: Verifying Fail2Ban Status

To confirm that Fail2Ban is running correctly, you can check the status of the service using the following command:

systemctl status fail2ban

If Fail2Ban is running properly, you should see an output similar to the following:

● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 22:05:03 UTC; 40min ago
Docs: man:fail2ban(1)
Main PID: 15873 (fail2ban-server)
Tasks: 5 (limit: 4644)
Memory: 14.0M
CPU: 503ms
CGroup: /system.slice/fail2ban.service
└─15873 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

This output confirms that Fail2Ban is active and running on your system.

Step 7: Checking Jail Status

To check the status of the SSH jail in Fail2Ban, use the following command:

fail2ban-client status sshd

This command will display information about the SSH jail, including the number of currently banned IP addresses.

Step 8: Unbanning an IP Address

If you need to unban an IP address that was previously blocked by Fail2Ban, you can use the following command:

fail2ban-client set sshd unbanip <IP_Address>

Replace <IP_Address> with the actual IP address you want to unban.

Step 9: Banning an IP Address

To ban an IP address manually, use the following command:

fail2ban-client set sshd banip <IP_Address>

Replace <IP_Address> with the IP address you want to ban.

Conclusion

Congratulations! You have successfully installed and configured Fail2Ban to protect your SSH service on Debian 12. By implementing Fail2Ban, you have taken an important step towards enhancing the security of your system and preventing unauthorized access.

Remember to regularly monitor the Fail2Ban logs and adjust the configuration settings based on your specific requirements. This will help you fine-tune the protection provided by Fail2Ban and ensure the highest level of security for your Debian 12 server.

If you are looking for reliable and scalable cloud hosting solutions, Shape.host offers Cloud VPS services that can meet your needs. With Shape.host, you can enjoy the benefits of robust security measures and exceptional performance, allowing you to focus on your core business operations. Visit Shape.host today to explore their cloud hosting offerings.

Tags:
Christian Wells

Older Post

Debian 12: Installing Docker Compose for Container Orchestration – Detailed Tutorial

Next Post

Tutorial: How to Add Swap Space on Debian 12

Related Product

How to Install Budibase on Debian 12 Using Docker Compose

How to Install Plane.so on Debian 12 with Docker Compose