How to Install & Configure Fail2ban on Debian 11

Fail2ban is an intrusion prevention software framework that protects computer servers from primarily brute-force attacks, banning bad user agents, banning URL scanners, and much more. Fail2ban achieves this by reading access/error logs of your server or web applications. Fail2ban is coded in the python programming language.

The following tutorial will teach you how to install Fail2ban and do some configurations with complete examples and essential tips to get you started on Debian 11 Bullseye.

Prerequisites

  • Recommended OS: Debian 11 Bullseye
  • User account: A user account with sudo or root access.
  • Required Packages: wget

Update Operating System

Update your Debian operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade -y

The tutorial will be using the sudo command and assuming you have sudo status.

To verify sudo status on your account:

sudo whoami

Example output showing sudo status:

[joshua@debian~]$ sudo whoami
root

To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Debian.

To use the root account, use the following command with the root password to log in.

su

Install Fail2ban

By default, Fail2ban comes included in Debian 11 Bullseye repository. To install the software, use the following command in your terminal:

sudo apt install fail2ban

Example output:

How to Install & Configure Fail2ban on Debian 11

Type Y, then press enter key to proceed and complete the installation.

By default, fail2ban after the installation should be active and enabled. To verify this, use the following systemctl command:

sudo systemctl status fail2ban

Example output:

How to Install & Configure Fail2ban on Debian 11

If your fail2ban service is not activated, run the following commands to start and, if desired, enable it on system boot by default:

sudo systemctl start fail2ban

Then to enable fail2ban on system boot, use the following:

sudo systemctl enable fail2ban

Lastly, verify the version and build of fail2ban:

fail2ban-client --version

Example output:

Fail2Ban v0.11.2

This shows that you have one of the latest stable releases out, which is ver. 0.11.2 (2020/11/23) – (heal the world with security tools). If you would like to know in the future where your installed build sits in the Fail2ban release schedule, visit the release page on Fail2ban Github’s page.

Configure Fail2ban

After completing the installation, we now need to do some setup and basic configuration. Fail2ban comes with two configuration files which are located in /etc/fail2ban/jail.conf and The default Fail2ban /etc/fail2ban/jail.d/defaults-debian.conf. Do not modify these files. The original set-up files are your originals and will be replaced in any update to Fail2ban in the future.

Now you may wonder how we set up Fail2ban as if you update and lose your settings. Simple, we create copies ending in .local instead of .conf as Fail2ban will always read .local files first before loading .conf if it cannot find one.

To do this, use the following command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now open the configuration file to proceed with configuring:

sudo nano /etc/fail2ban/jail.local

Next, the tutorial will run over some settings that you can use or modify to your liking. Note that most settings are commented out; the tutorial will uncomment the lines in question or modify the existing ones in the example settings.

Remember, these are optional settings, and you can set whatever you like if you know more about fail2ban and have the confidence.

Ban Time Increment

The first setting you will come across is Ban time increments. You should enable this every time the attacker returns. It will increase the ban time, saving your system from constantly re-banning the same IP if your ban time lengths are minor; for example, 1 hour, you would want this to be longer if the attacker returns x5 times.

You also need to set a multiplier or factor for ban increase logic to work. You can pick any of these; however, in our guide, we prefer multipliers, as highlighted in our below example, since you can set custom ban time increases to your liking. Further explanation is in the set-up on the math behind it.

Example below:

How to Install & Configure Fail2ban on Debian 11

Whitelist IPs in Fail2ban

Next in the list, we come across whitelisting options, uncomment the following and address any IP addresses you want to be whitelisted.

ignoreip = 127.0.0.1/8 ::1 192.167.5.5 (example IP address)

Make sure to space or comma between the IP addresses. You can whitelist IP ranges as well.

Example below:

How to Install & Configure Fail2ban on Debian 11

Default Ban Time Set-Up

Ban time defaults are to default 10 minutes with 10 minutes finder on 5 retries. An explanation of this is Fail2ban jail with filtering will ban your attacker for 10 minutes after it has retried the same attack in 10 minutes (find time) x 5 times (retries). You can set some default ban settings here.

However, when you get to jails, it’s advised to set different ban times as some banning should automatically be longer than others, including retries that should be less or more.

Example below:

How to Install & Configure Fail2ban on Debian 11

E-Mail set up with Fail2ban

You can set an e-mail address for Fail2ban to send reports. The default action = %(action_mw)s that bans the offending IP and sends an e-mail with a whois report for you to review.

However, in your action.d folder, other e-mail options exist for reporting to not only yourself but sending out e-mails to hosting providers about the attacker’s activity so something can be done. Note, only do this if you use an e-mail proxy as some attackers will not take kindly to this or get the email directly with your server’s IP address, use this action with extreme caution or not at all.

Example below:

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = admin@example.com

# Sender e-mail address used solely for some actions
sender = fail2ban@example.com

Example:

How to Install & Configure Fail2ban on Debian 11

Note, by default, Fail2ban uses sendmail MTA for email notifications. You can change this to the mail function by doing the following:

Change from:

mta = sendmail

Change to:

mail = sendmail

Fail2ban Jails

Next, we come to jails. You can set pre-defined jails with filters and actions created by the community covering many popular server applications. You can make custom jails or find external ones on various gists and community websites; however, we will set up the default Fail2ban package jails.

Default set up for all the jails as per the picture below. Notice how nothing is enabled.

Example below:

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

So, we have an Apache 2 HTTP server, and like filter/ban bad bots, all you need to do is add enabled = true as the example below.

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Notice how the max retry equals 1, and the ban time is 48H. This is an individual max retry and bans length setting for this jail that will automatically increase with the ban multiplier we set up earlier in the guide. If any of the filters are missing this, you can add it as an example.

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s

Change above the following example below:

[apache-noscript]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 1d
maxretry = 3

Next, you would like to have different actions than specified in your default set up in /etc/fail2ban/jail.local, additional actions you can find in action.d directory. Different actions from this directory can be easily set up by following directions inside those action configuration lines in the files, remembering to rename them first to .jail over .conf, and then adding the following to your jail setup.

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = action_mw
cloudflare
bantime = 72h
maxretry = 1

As you can see, we added action_mw, so it automatically bans as per our default action and emails us a report with whois, then the following action, if you use Cloudflare, it’ll block the IP address on the service as well. Remember, Cloudflare needs to be set up before use. Read the action.d file cloudflare.conf.

Once you are happy with your set-up, do the following command to restart fail2ban to load your new jails.

sudo systemctl restart fail2ban

Examples of using Fail2ban-client

Now that you are up and running with Fail2ban, you need to know some basic operating commands. We do this by using the fail2ban-client command. You may need to have sudo privileges, depending on your setup.

Ban an IP address:

sudo fail2ban-client set apache-botsearch banip <ip address>

Unban an IP address:

sudo fail2ban-client set apache-botsearch unbanip <ip address>

Command to bring up the help menu if you need to find additional settings or get help on a particular one.

sudo fail2ban-client -h

Install UFW (Uncomplicated Firewall)

By default, Debian does not come with UFW. For users that would prefer to use UFW with Fail2ban, follow the steps below.

First, install UFW:

sudo apt install ufw -y

Next, verify the installation and build:

sudo ufw version

Example output:

ufw 0.36
Copyright 2008-2015 Canonical Ltd.

Now enable on system startup and activate fail2ban using the terminal command:

sudo ufw enable

Example output:

Firewall is active and enabled on system startup

Next, add UFW to your banaction, which will instead not use the default IPTABLES and you what you specify:

Example from:

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
bantime = 72h
maxretry = 1

Example to:

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = ufw
bantime = 72h
maxretry = 1

As you can see, the new line banaction = ufw was added to change the default ban action. You can add multiple, say you want to BAN on UFW and also use the Cloudflare script to ban the IP address using their firewall service along with reporting the IP address to AbuseIPDB Fail2ban Integration:

Example:

[apache-botsearch]
enabled = true
port     = http,https
logpath  = %(apache_error_log)s
banaction = ufw
                    cloudflare
                    abuseipdb
bantime = 72h
maxretry = 1

A list of premade actions can be found in /etc/fail2ban/actions.d; all actions have basic setup and use cases.

To view the IP addresses banned, use the following UFW command:

sudo ufw status verbrose

Example output:

Anywhere                   REJECT      <IP ADDRESS>               # by Fail2Ban after 1 attempts against apache-botsearch

As you can see, you can see the UFW is rejecting the IP address after being banned by Fail2ban UFW action on the filter apache-botsearch after one attempt. This is an example only of Fail2ban working in a live environment, and to expect, you should modify your filters to suit your needs.

Note, do not unban IP addresses using UFW. Make sure to use the fail2ban-client unban action, or the IP will be re-banned when returning to the site as UFW cannot communicate back to Fail2ban.

Update Fail2ban

Fail2ban releases don’t come out often, so you will not see significant changes every week or, for that matter, even monthly. However, to update Fail2ban, the same process applies when checking your Debian system for updates.

First, use the apt update command:

sudo apt update

Secondly, if an update is available, you can use an apt upgrade, which will initiate the upgrade plus any others, or if you prefer to upgrade fail2ban, use the following:

sudo apt upgrade fail2ban

Uninstall Fail2ban

If you no longer require Fail2ban, to remove it from your system, use the following command:

sudo apt autoremove fail2ban --purge

Example output:

Type Y, then press the ENTER KEY to proceed with the removal.

Note this will also remove any unused dependencies that were installed with Fail2ban originally for complete removal.

Monitoring Fail2ban Logs

Many common mistakes are set up jails and walk away without testing or monitoring what they are doing. Reviewing logs is essential, which the fail2ban log is in its default path /var/log/fail2ban.log.

If you have a server receiving decent traffic, an excellent command to watch live to see any issues and keep an eye on it as you work in other servers is to use the tail -f command below.

sudo tail -f /var/log/fail2ban.log

The command can come in handy for spot-checking without having to dive into logging.

Comments and Conclusion

The tutorial has shown you the basics of installing Fail2ban on the Debian 11 Bullseye system and setting up some jails with the filters available. Fail2ban is a potent tool. You can set it up in many different ways from what I have shown here. It is just an example of getting your way around it, to begin. Fail2ban is actively developed and is a solid choice to deploy on your server in these times where attacks are becoming so frequent.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!