This is an old revision of the document!
Table of Contents
Systems - Media Server - Secure the Server - Install fail2ban
Fail2ban is an intrusion prevention software framework.
- It bans IP addresses conducting too many failed login attempts.
Update the system:
sudo apt update && sudo apt upgrade
Install Fail2Ban
sudo apt install fail2ban
Configure Fail2Ban
The default configuration is defined in /etc/fail2ban/jail.conf.
WARNING: The default values may change with package updates, so if you want to change the settings, create a jail.local file and modify it.
Here are salient lines from the default configuration:
- /etc/fail2ban/jail.conf
# line 87 : ignore your own local IP #ignoreself = true # line 92 : possible to add ignored networks #ignoreip = 127.0.0.1/8 ::1 # line 101 : number of seconds that a host is banned # - 1m ⇒ 1 minutes # - 1h ⇒ 1 houer # - 1d ⇒ 1 day # - 1mo ⇒ 1 month # - 1y ⇒ 1 year bantime = 10m # line 105 : A host is banned if it has generated "maxretry" during the last "findtime" findtime = 10m # line 108 : "maxretry" is the number of failures before a host get banned maxretry = 5 # line 178 : destination email address if enabling email notification destemail = root@localhost # line 181 : sender address if enabling email notification sender = root@<fq-hostname> # line 263 : default action # - %(action_)s ⇒ ban only # - %(action_mw)s ⇒ band and email notification (includes Whois info) # - %(action_mwl)s ⇒ band and email notification (includes Whois info and logs) action = %(action_)s
Override the default values
As root, create a /etc/fail2ban/jail.local file.
- /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 1d findtime = 5m maxretry = 5 destemail = root@localhost sender = root@mediaserver
Restart Fail2Ban
sudo systemctl restart fail2ban
Verify Fail2Ban
sudo systemctl status fail2ban
returns:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Fri 2025-05-30 19:38:01 UTC; 6s ago
Docs: man:fail2ban(1)
Main PID: 3108 (fail2ban-server)
Tasks: 5 (limit: 154383)
Memory: 18.8M (peak: 19.8M)
CPU: 110ms
CGroup: /system.slice/fail2ban.service
└─3108 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
May 30 19:38:01 mediaserver systemd[1]: Started fail2ban.service - Fail2Ban Service.
May 30 19:38:02 mediaserver fail2ban-server[3108]: 2025-05-30 19:38:02,022 fail2ban.configreader [3108]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
May 30 19:38:02 mediaserver fail2ban-server[3108]: Server ready
Check the fail2ban status
sudo fail2ban-client status
returns:
Status |- Number of jail: 1 `- Jail list: sshd
NOTE: By default, only the SSH service is enabled and monitored.
Check the fail2ban status of the sshd service
sudo fail2ban-client status sshd
returns:
Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
NOTE: Once actual banning starts, the totals and the Banned IP list will get updated.
The actual ban action is controlled by nftables.
- Check the nft status with:
sudo nft list ruleset
To manually add banned hosts
sudo fail2ban-client set sshd banip 1.2.3.4/28
NOTE: This will ban IP 1.2.3.4/28.
To manually add banned hosts
sudo fail2ban-client set sshd unbanip 1.2.3.4
NOTE: This will unban IP 1.2.3.4.
To remove all banned hosts
sudo fail2ban-client unban --all
Have fail2ban monitor other services
By default, fail2ban only monitors sshd.
Confirm this:
ll /etc/fail2ban/jail.d
returns:
drwxr-xr-x 2 root root 4096 May 30 19:31 ./ drwxr-xr-x 6 root root 4096 May 30 19:37 ../ -rw-r--r-- 1 root root 117 Jun 10 2024 defaults-debian.conf
NOTE: This shows only a single file, named defaults-debian.conf.
View this file
most /etc/fail2ban/jail.d/defaults-debian.conf
returns:
- /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT] banaction = nftables banaction_allports = nftables[type=allports] backend = systemd [sshd] enabled = true
NOTE: This shows that the sshd service is enabled for monitoring.
- This also shows that the actual ban action is controlled by nftables.
Override the default values for a specific service
Edit that /etc/fail2ban/jail.d/defaults-debian.conf file, and add configuration changes into the section of the service to override.
- As the only service currently being monitored is sshd, for now changes will be overridden for sshd.
- /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT] banaction = nftables banaction_allports = nftables[type=allports] backend = systemd [sshd] enabled = true # override the default values for the sshd service bantime = 600 findtime = 3m maxretry = 5 action = %(action_mw)s
Enable the new changes
Reload fail2ban to enable the changes.
sudo systemctl reload fail2ban
Check what other services could be monitored by fail2ban
grep '^\[' /etc/fail2ban/jail.conf | tail -n +3
returns:
[sshd] [dropbear] [selinux-ssh] [apache-auth] [apache-badbots] [apache-noscript] [apache-overflows] [apache-nohome] [apache-botsearch] [apache-fakegooglebot] [apache-modsecurity] [apache-shellshock] [openhab-auth] [nginx-http-auth] [nginx-limit-req] [nginx-botsearch] [nginx-bad-request] [php-url-fopen] [suhosin] [lighttpd-auth] ...
To monitor another service
Create a new file under /etc/fail2ban/jail.d/ for the specific service.
For example, to monitor Vsftpd, create a new file /etc/fail2ban/jail.d/vsftpd.conf and populate with:
- /etc/fail2ban/jail.d/vsftpd.conf
[vsftpd] enabled = true backend = systemd journalmatch = _SYSTEMD_UNIT=vsftpd.service action = %(action_mw)s
NOTE:
- [vsftpd] - is the name of a service, from one of the services that fail2ban can monitor.
The actual name of the file under /etc/fail2ban/jail.d/ is irrelevant, and can be anything.
- It is the contents of the file that are used.
Enable the new changes
Reload fail2ban to enable the new service to be monitored.
sudo systemctl reload fail2ban
Check the fail2ban-client status
` sudo fail2ban-client status
returns:
Status |- Number of jail: 2 `- Jail list: sshd, vsftpd
Verify settings for the new service being monitored
sudo fail2ban-client status vsftpd
returns:
Status for the jail: vsftpd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=vsftpd.service `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 1.2.3.4