Install Fail2ban

Updated: 2022.11.23

Overview

Debian / Ubuntu

Fedora / Rocky / RHEL

Fail2ban is an intrusion prevention software that protects your server from brute-force attacks. Fail2ban monitors log files for configured patterns of malicious activity. We will set it up to monitor failed SSH password attempts. After a specified number of failed login attempts, from a single IP address in a given time period, the IP address will be banned from making anymore connections.

Assumptions

Update

Before getting started, update package repositories.

# Debian
sudo apt update
# Fedora
sudo dnf check-update

Install Fail2ban

Install Fail2ban via your system package manager.

# Debian
sudo apt install fail2ban
# Fedora
sudo dnf install fail2ban

Verify Fail2ban is enabled so it will start on boot.

sudo systemctl enable fail2ban

Configure Jail

Create a Fail2ban configuration file to monitor SSH connection attempts.

sudo nano /etc/fail2ban/jail.local

In the file, specify the following configuration. This configuration will ban any IP address that makes 3 failed login attempts in 30 minutes for 25 hours. If you changed your SSH port, modify the port configuration accordingly.

# Debian
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# 30 minute findtime
findtime = 1800
# 25 hour ban
bantime = 90000
# Fedora
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 3
# 30 minute findtime
findtime = 1800
# 25 hour ban
bantime = 90000

Restart the Fail2ban service for changes to take effect.

sudo systemctl restart fail2ban