There are no notfications.

This article was last reviewed for Debian 9 (Stretch).

Fail2ban installation and configuration (Debian, repository)

Fail2ban installation and configuration (Debian, repository)
Author: Stefán Örvar Sigmundsson
Initial publication:
Last updated:
Written in: English (United Kingdom)

Fail2ban is a free and open-source intrusion detection and prevention software. This article will demonstrate how to install and configure Fail2ban on Debian or its derivatives such as Ubuntu and Linux Mint.

Installation

Fail2ban can be installed from the official Debian repository using APT:

root@computer:~# apt --assume-yes install fail2ban

Configuration

A directory is created to contain the log file of Fail2ban:

root@computer:~# mkdir /var/log/fail2ban/

A file is created to contain the log for Fail2ban in a dedicated directory:

root@computer:~# touch /var/log/fail2ban/fail2ban.log

fail2ban.local

A file is created to contain the general configuration of Fail2ban:

root@computer:~# touch /etc/fail2ban/fail2ban.local

Fail2ban requires little general configuration to function.

[Definition]

dbfile = /var/lib/fail2ban/fail2ban.sqlite3

dbpurgeage = 86400

loglevel = NOTICE

logtarget = /var/log/fail2ban/fail2ban.log

pidfile = /run/fail2ban/fail2ban.pid

socket = /run/fail2ban/fail2ban.socket

syslogsocket = auto
[Definition]
Sets the configuration scope for the subsequent directives to Definition which is the default scope for general configuration of Fail2ban.
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
The database file of Fail2ban which stores data (e.g. bannings) persistently during reboots.
dbpurgeage = 86400
The rate of purgings of the database file of Fail2ban which is specified in seconds.
logtarget = /var/log/fail2ban/fail2ban.log
The log file of Fail2ban.
pidfile = /run/fail2ban/fail2ban.pid
The PID file of Fail2ban.
socket = /run/fail2ban/fail2ban.socket
The socket file of Fail2ban.
syslogsocket = auto
The socket file of syslog. The default is auto but it must be specified so that Fail2ban does not complain. It is not used in this configuration as logtarget is set to a file and not to SYSLOG.

jail.local

A file is created to contain the intrusion detection and prevention configuration of Fail2ban:

root@computer:~# touch /etc/fail2ban/jail.local

Actions and filters define jails which are used to prevent detected intruders from doing harm to the system.

[DEFAULT]

action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

backend = auto

banaction = iptables-multiport

bantime = 86400

chain = INPUT

enabled = true

filter = %(__name__)s

findtime = 600

ignoreip = 127.0.0.1/8

logencoding = auto

maxretry = 3

port = 0:65535

protocol = tcp

usedns = warn
[DEFAULT]
Sets the configuration scope for the subsequent directives DEFAULT which applies to all jails by default.
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
The action to perform during bannings.
backend = auto
The method of receiving log file notifications.
banaction = iptables-multiport
The name of the action in the action.d directory. This directive is a variable for the action directive.
bantime = 86400
The duration of bans in seconds. This directive is a variable for the action directive.
chain = INPUT
The iptables chain type. This directive is a variable for the action directive.
enabled = true
Enables the jail.
filter = %(__name__)s
The name of the filter in the filter.d directory. Jails are conventionally named after the service they monitor. Since there can only be one filter per jail it makes sense to name the configuration scope of a jail after its filter.
findtime = 600
The duration (in seconds) of time before authentication attempts are reset for individual users who have not reached maxretry and have thus not been banned.
ignoreip = 127.0.0.1/8
The IP addresses/CIDR masks/DNS hosts excluded from jails.
logencoding = auto
The character encoding of the log file.
maxretry = 3
The number of authentication attempts before banning.
port = 0:65535
The port (range) from which to ban offenders. This directive is a variable for the action directive.
protocol = tcp
The protocol from which to ban offenders. This directive is a variable for the action directive.
usedns = warn
The attitude towards DNS host names in log files.

Jails can be declared in the jail.local file or in the jail.d directory.

Most servers will have an SSH server installed. The following is an example of a jail configuration:

[sshd]

logpath = /var/log/auth.log

port = 22
[sshd]
Names the jail sshd. Since filter was set to __name__ in DEFAULT it means that the jail's name is also the name of its filter. There is a filter by the name sshd in the filter.d directory.
logpath = /var/log/auth.log
The log path of the software to monitor. The applied filter will process the log file.
port = 22
The port (range) of the software to monitor. It overrides the value set to port in DEFAULT.

There are tens of filters available for commonly installed server software in the filter.d directory.

Conclusion

Log rotation

The package installs a default logrotate configuration file (/etc/logrotate.d/fail2ban) that can be customised:

/var/log/fail2ban/*.log
{
	copytruncate
	maxage 365
	missingok
	monthly
	notifempty
	rotate 12
}
/var/log/fail2ban/*.log
Sets the configuration scope for the subsequent section. The pattern matches all files (*) ending with the extension log in the /var/log/fail2ban/ directory.
copytruncate
Copy the contents of the log file being rotated into a new file and then truncate the original log file.
maxage 365
Remove log files older than 365 days.
missingok
Do not consider it an error if a log file is missing.
monthly
Perform a log rotation monthly.
notifempty
Do not perform a log rotation on an empty log file.
rotate 12
Perform 12 log rotations before older log files are removed.

Directory ownership and permissions

The configuration directory should be protected:

root@computer:~# chown --recursive root:adm /etc/fail2ban/
root@computer:~# chmod --recursive 0770 /etc/fail2ban/

The log directory should be protected:

root@computer:~# chown --recursive apache:adm /var/log/fail2ban/
root@computer:~# chmod --recursive 0750 /var/log/fail2ban/

Software reinitiation

Fail2ban is restarted when the configuration is done:

root@computer:~# systemctl restart fail2ban.service

See also

External links

This article has additional content here.