Skip to content

fail2ban

Protect SSH with fail2ban on Debian

Installation

Install the package.

sh
sudo apt update
sudo apt install -y fail2ban

Configuration

Create a copy of the default configuration file.

sh
sudo vim /etc/fail2ban/jail.local

WARNING

If you change SSH port, you need to update the configuration file in the [sshd] section.

sh
[sshd]
port = <port>
/etc/fail2ban/jail.local
sh
[DEFAULT]
maxretry = 5 # maximum number of retries before a host gets banned
bantime = 3600 # in seconds, 1 hour
findtime = 10m # 10 minutes

; destemail = votre.email@example.com
; sender = fail2ban@example.com
; mta = sendmail
; action = %(action_mwl)s

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/fail2ban.log

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
action = iptables[name=HTTPAuth, port=http, protocol=tcp]
logpath = /var/log/nginx/error.log
maxretry = 3

[nginx-botsearch]
enabled = true
filter = nginx-botsearch
action = iptables[name=BotSearch, port=http, protocol=tcp]
logpath = /var/log/nginx/access.log
maxretry = 2
/etc/fail2ban/jail.local

Check if /var/log/fail2ban.log exists.

sh
sudo rm /var/log/fail2ban.log
sudo touch /var/log/fail2ban.log

Remove optional IPv6 support.

sh
sudo vim /etc/fail2ban/fail2ban.local
sh
[Definition]
allowipv6 = no

Plex

If you use Plex, you need to add the following configuration.

sh
sudo vim /etc/fail2ban/filter.d/plex.conf
sh
[Definition]
failregex = Plex Login failed for user .* from <HOST>
ignoreregex =
/etc/fail2ban/filter.d/plex.conf
sh
sudo vim /etc/fail2ban/jail.local
sh
[plex]
enabled = true
port = 32400
filter = plex
logpath = /var/log/plex.log
maxretry = 5
bantime = 600
/etc/fail2ban/jail.local

Enable

Enable and start the service.

sh
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check the status.

sh
sudo systemctl status fail2ban

Commands

Restart

sh
sudo systemctl restart fail2ban

Status

sh
sudo systemctl status fail2ban

Check

sh
sudo fail2ban-client status

Logs

sh
sudo tail -f /var/log/fail2ban.log

Unban

sh
sudo fail2ban-client set sshd unbanip

Check banned IPs

sh
sudo fail2ban-client status sshd

Uninstall

Stop and disable the service.

sh
sudo systemctl stop fail2ban
sudo systemctl disable fail2ban

Remove the package.

sh
sudo apt remove --purge fail2ban -y

Remove the configuration files.

sh
sudo rm -rf /etc/fail2ban
sudo rm -rf /var/log/fail2ban.log

MIT License