How to Install & Configure Fail2ban on Debian 10 or 11

Every server connected to the Internet is vulnerable to brute-force and virus attacks. Hackers attempt to gain access to apps accessible on ...

Every server connected to the Internet is vulnerable to brute-force and virus attacks.

Hackers attempt to gain access to apps accessible on public networks by brute-forcing them.

Fail2ban is a utility that improves the security of Linux-based machines to prevent them from automated attacks.
It scans the logs for malicious activity and allows the user to block distant IP addresses temporarily or permanently.

On a Debian 11-based system, this how-to tutorial will show you how to install, configure, and set up Fail2ban. 

How to Install & Configure Fail2ban on Debian 10 or 11

Fail2ban is available in Debian 11's default repository, making it simple to install using Debian's default package manager:

$ sudo apt install fail2ban -y 

After successful installation, the Fail2ban service should start automatically. You may check this by executing the following command:

$sudo systemctl status fail2ba

If the service is not running on your system, you can start and activate it with the following commands:

$ sudo systemctl start fail2ban 
$ ssudo systemctl enable fail2ban 

How to configure Fail2ban on Debian 10 or 11

Fail2ban includes two configuration files, both of which can be found in the /etc/fail2ban directory.
These config files have a basic configuration that should not be changed because they may be rewritten if a package update is installed.

To avoid any future headaches, we can utilise a separate.local file as a configuration file.

So, by copying the jail.conf file, we'll create a local config file:

$ sudo cp /etc/fail2ban/jail.{conf,local} 

Now, open the newly created file in a text editor:

$ sudo nano /etc/fail2ban/jail.local 

You can change the settings here to suit your needs.

You can use the ignoreip directive to exclude IP addresses from the ban list.
As an example, I've listed two different IP addresses.
Any IP address you want to whitelist can be entered here:

ignoreip = 127.0.0.15/8  192.168.1.2/24

The bantime directive can be used to specify the length of time that an IP address will be blocked. A suffix like m,d can be used to designate the time unit, which is by default seconds.

bantime = 120m

The findtime directive specifies the duration of time for the number of failures before a ban is placed. If Fail2ban is going to ban an IP after 4 failed attempts, the findtime directive defines the time interval in which the failures must occur.

findtime = 2m

The maxretry is used to define the number of failed attempts before an IP gets blacklisted.

maxretry = 5

After making all the necessary changes, you can simply just save and save the config file.

Now restart the service to let the changes take effect:

$ sudo systemctl restart fail2ban.service

Conclusion

Fail2ban allows us to set up our system so that it is more safe against brute-force attacks and other harmful activity.
It safeguards our system by examining logs and blacklisting questionable IP addresses.
These safeguards are critical, especially for systems that are connected to the internet.
We learned how to install, configure, and set up Fail2ban on Debian 11 in this tutorial.