How to Setup Fail2ban on Debian 9

Fail2ban, as its name suggests, is a utility designed to help protect Linux machines from brute-force attacks on select open ports, especially the SSH port. For the sake of system functionality and management, these ports cannot be closed using a firewall. Under this circumstance, it’s a good idea to use Fail2ban as a supplementary security measure to a firewall to restrict brute-force attack traffic on these ports.

In this article, I will show you how to install and configure Fail2ban to protect the SSH port, the most common attack target, on a Vultr Debian 9 server instance.

Prerequisites

• A fresh Debian 9 (Stretch) x64 server instance.
• Logged in as root.
• All unused ports have been blocked with proper IPTables rules.

Step 1: Update the system

apt update && apt upgrade -y
shutdown -r now

After the system boots up, log back in as root.

Step 2: Modify the SSH port (Optional)

Since the default SSH port number 22 is too popular to ignore, changing it to a lesser-known port number, say 38752 would be a smart decision.

sed -i "s/#Port 22/Port 38752/g" /etc/ssh/sshd_config
systemctl restart sshd.service

After the modification, you need to update IPTables rules accordingly:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 38752 -j ACCEPT

Save the updated IPTables rules to a file for persistence purposes:

iptables-save > /etc/iptables.up.rules
touch /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables
echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables

In this fashion, IPTables rules will be persistent even after a system reboot. From now on, you will need to log in from the 38752 port.

Step 3: Install and configure fail2ban to protect SSH

Use apt to install the stable version of Fail2ban which is currently 0.9.x:

apt install fail2ban -y

After the installation, the Fail2ban service will start automatically. You can use the following command to show its status:

service fail2ban status

On Debian, the default Fail2ban filter settings will be stored in both the /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file. Remember that settings in the latter file will override corresponding settings in the former one.

Use the following commands to view more details:

cat /etc/fail2ban/jail.conf | less
cat /etc/fail2ban/jail.d/defaults-debian.conf
fail2ban-client status
fail2ban-client status sshd

For your information, code excerpts about SSH are listed below:

In /etc/fail2ban/jail.conf:

[DEFAULT]

bantime = 600
...
maxentry = 5

[sshd]

port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

In /etc/fail2ban/jail.d/defaults-debian.conf:

[sshd]
enabled = true

Since the contents in the two config files above might change in future system updates, you should create a local config file to store your own fail2ban filter rules. Again, the settings in this file will override corresponding settings in the two files mentioned above.

vi /etc/fail2ban/jail.d/jail-debian.local

Input the following lines:

[sshd]
port = 38752
maxentry = 3

Note: Be sure to use your own SSH port. Except for port and maxentry mentioned above, all other settings will use the default values.

Save and quit:

:wq

Restart the Fail2ban service in order to load the new configuration:

service fail2ban restart

Our setup is complete. From now on, if any machine sends incorrect SSH credentials to the Debian server’s custom SSH port (38752) more than three times, the IP of this potentially malicious machine will be banned for 600 seconds.