Fail2ban Setup for SSH

Fail2ban is one of the most popular intrusion detection/prevention software which is written in python language. It looks for too many failed login attempts by scanning log files like /var/log/secure , /var/log/auth.log, /var/log/pwdfail etc.

It uses iptables to block IP addresses for certain period of time which can be set in its configuration file.

Here is a small tutorial in installing and configuring fail2ban in Raspberry pi

1. Install fail2ban

sudo apt-get update

sudo apt-get install fail2ban

2. Setup some configuration options

The configuration file for fail2ban is located in /etc/fail2ban/ named jail.conf

Modify the configuration file accordingly. Here are some settings.

[DEFAULT]

ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 6 # Default is 3. I increased it.

Fail2ban does not need port number actually, You can modify this with your port number.

[ssh]
enabled  = true
port     = ssh, 1234
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 10  # Number of retries. Again, I increased it. Default is 6

3. Configuration

Furthermore you can perform following steps to check whether fail2ban is working properly.

3.1 Check fail2ban is running or not.

sudo /etc/init.d/fail2ban status

3.2 Check if your SSH Jail is set up properly.

sudo fail2ban-client status

You should see something like this:

Status
|- Number of jail:	1
`- Jail list:		ssh

3.3 Check the log file:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Proverb

A journey of a thousand miles begins with a single step

Copyright

Copyright © Prabin Dahal 2022. This website is made using TYPO3. Visit http://typo3.org for more details.

Disclaimer

Please see the disclaimer page.

Mastodon @prabin