How to Setup Fail2Ban on RPi
Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.
Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.
While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.
So now that we know what Fail2Ban is… Lets get started setting it up.
While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.
Lets begin by updating your RPi before we begin with the following commands.
sudo apt update
sudo apt upgrade
Now that your RPi is updated, lets get on with the software install.
Run the following command to install Fail2Ban, press ‘Y’ to proceed.
sudo apt-get install fail2ban
Now Fail2Ban has changed a lot since version 0.9.x.
We want to create a “jail.local” file with the following command and edit it.
sudo nano /etc/fail2ban/jail.local
You’ll want to copy/paste the info below
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24
# Ban hosts for two days:
bantime = 172800
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
- ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
- bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
- maxretry: This option defines the number of failures a host is allowed before it is banned.
- findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.
Now save the file by pressing ‘Ctrl+X’ then ‘Y’.
To restart the Fail2Ban service (and reload our config file changes):
sudo systemctl restart fail2ban
To check the Fail2Ban status:
sudo fail2ban-client status
You’ll get output similar to this.
Status
|- Number of jail: 1
`- Jail list: sshd
To check individual jails:
sudo fail2ban-client status sshd
You’ll get output similar to this.
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.