Skip to content

Fail2Ban simple config for SSH

Introduction

Fail2Ban is a software that scans logs files and can ban IP addresses, for example with too many failed login attempts. Ban is done by updating system firewall rules to reject connections from those IP addresses for a configurable amount of time. This functionality is really useful to protect your server from brute force attacks. In this article we will look at how to protect one of the most important service which is SSH using Fail2Ban.

OS used: Debian 12
Software used: fail2ban 1.0.2

Packages installation

First you need to install fail2ban package:

# apt install fail2ban

Enabling firewall

Fail2Ban requires an active firewall to function properly.

Info

Debian 12 default firewall is nftables. nftables is a newer replacement for iptables. iptables is still available in Debian repository. This tutorial will cover Fail2Ban with nftables.

Install nftables package if not installed:

# apt install nftables

Enable firewall:

# systemctl enable nftables && \
  systemctl start nftables

Check if firewall is working:

# systemctl status nftables

Configuration for SSH

Fail2Ban is enabled after installing. You can check this with command:

# systemctl status fail2ban.service

In order to block SSH brute force logins you need to change Fail2Ban configuration, because by default it is set to syslog log backed and Debian 12 by default uses systemd journal as log backend. We will change configuration by creating new config file with following parameters:

# vim /etc/fail2ban/jail.d/sshd.local
/etc/fail2ban/jail.d/sshd.local
[sshd]
backend = systemd

Restart fail2ban service after configuration change (command for restart, wait and check service status):

# systemctl restart fail2ban && \
  sleep 5 && \
  systemctl status fail2ban

Check Fail2Ban status:

# fail2ban-client status sshd

Optional Fail2Ban parameters

If you want you can add other parameters for your liking in /etc/fail2ban/jail.d/sshd.local:

/etc/fail2ban/jail.d/sshd.local
[sshd]
backend = systemd
bantime  = 60m
findtime  = 5m
maxretry = 3
  • bantime - sets time for which client will be banned when failed to authenticate correctly.
  • maxretry - sets the number of authentication attempts allowed for a client within a time window defined by findtime, before being banned.
  • bantime, findtime - can be set in:
    • no suffix - seconds
    • m - minutes
    • h - hours
    • d - days

Restart fail2ban to apply configuration changes:

#  systemctl restart fail2ban

Fail2Ban should now work and it's time to test that.

Testing Fail2Ban

Try to connect to host protected with Fail2Ban using user name but wrong password:

$ ssh user_name@server_name

Perform more unsuccessful login attempts than number allowed in Fail2Ban config file. Message should change from Permission denied to Connection refused. This signals that you were banned from the server using Fail2ban.

On the server using Fail2ban check firewall rules and you will see Fail2Ban rule starting with f2b. There will be added line with blocked IP address:

# nft list ruleset
(...)
table ip filter {
    chain f2b-sshd {
        ip saddr <blocked_IP_address_here> counter packets xx bytes xxx reject
        counter packets xx bytes xxx return
    }
    chain INPUT {
        type filter hook input priority filter; policy accept;
        meta l4proto tcp tcp dport 22 counter packets xx bytes xxx jump f2b-sshd
    }
}

Check Fail2Ban log file to see ban actions:

# vim /var/log/fail2ban.log