Last Updated on 08/11/2023 by Kevin Agar
What is Fail2ban?
It’s a piece of software that attempts to block malicious connections to your device, which in my case is a Raspberry Pi. It is important if you have SSH or a web server that is publicly accessible.
Fail2ban works by continually scanning your log files, and looking for signs of potential attacks. These include attacks such as too many password failures as well as scanning for exploits and much more. Once it finds unusual activity it then automatically updates your firewall to ban that IP address.
To start, ensure the Raspberry pi is up to date by running
sudo apt-get update
sudo apt-get upgrade
Next, install Fail2ban
sudo apt-get install fail2ban
During the installation process, fail2ban will generate a file called “jail.conf“.
Make a copy of this file and name it “jail.local“, fail2ban will automatically detect this file and load its configuration.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
This file now needs to be edited. Open the file with the command
sudo nano /etc/fail2ban/jail.local
Within this file use the CTRL + W key combination to search for “[sshd]“, it should look like the text that’s displayed below. If it doesn’t, search the file again with CTRL + W
[sshd]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
To enable this section, and to set the SSHD filter, we need to add two lines below the “[sshd]” text that we found in the previous step.
The first line added to this configuration file enables Fail2ban to process those rules for the specified port.
The second line tells Fail2ban that it needs to use the “/etc/fail2ban/filter.d/sshd.conf” file to filter connections to the ssh port.
enabled = true
filter = sshd
As well as being able to enable it and setting the filter, you can also change what Fail2ban does when someone triggers the filters.
To set the ban action you can utilize the following line. In the example below, we will be using the “iptables-multiport” ban action, which will ban the user that triggered the filter and restrict them from accessing any ports on the device.
banaction = iptables-multiport
Additional actions can be found by checking out the /etc/fail2ban/action.d/ folder, typically though you will want to block an attacker on all ports.
In addition to being able to set the ban action, you can also set the number of attempts a user gets before they are banned, as well as how long they should be banned for.
To do this you can utilize the following two values, An example, and values are explained below.
bantime = -1
maxretry = 3
The first line above (“bantime = -1“), sets how long you want the user to be banned for. This value needs to be in seconds, for example, 1800 seconds will ban the user for 30 minutes.
If you want to ban the user indefinitely, you can set this value to -1 as we have in our example above.
The second line (“maxretry = 3“), defines how many tries the user gets before the ban action is run. In my example I set this to 3, meaning the user will have 3 chances before they are banned from accessing the device on all ports.
Once you have finished configuring the [sshd] section with a ban action, ban time, max retries as well as enabling it and setting the filter you should end up with something like below.
[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = -1
maxretry = 3
logpath = %(sshd_log)s
backend = %(sshd_backend)s
If you also want to enable protection for Apache against bad bots, then you will need to locate the section called [apache-badbots], you can use CTRL +W to find it.
Under this header, add the following two lines.
enabled = true
filter = apache-badbots
The filter name will typically be the same name as the module unless you’re using a custom configuration file. So, [apache-badbots] will have a filter name of apache-badbots.
You can find all the filter configuration files in the following directory, use ls to list all the files.
ls /etc/fail2ban/filter.d/
Once you’ve finished editing the jail.local file, save the file by pressing CTRL + X then Y and finally ENTER.
Restart Fail2Ban on the Raspberry Pi whenever you make a change.
sudo service fail2ban restart
To check the status, run
sudo fail2ban-client status sshd
This should give results similar to this. This is after installing fail2ban
pi@raspberrypi:~ $ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log
– Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
pi@raspberrypi:~ $
This is after running fail2ban for a few weeks. As can be seen, it is blocking IPs. Whether this and a very strong password are enough to keep it safe, only time will tell.
maxair@maxair:~ $ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 25
| - File list: /var/log/auth.log
– Actions
|- Currently banned: 6
|- Total banned: 6
`- Banned IP list: 176.113.115.82 192.168.0.3 45.135.232.155 45.155.204.3 62.204.41.56 91.240.118.105
maxair@maxair:~ $
Since updating to the latest version of piOS, Bookworm, Fail2ban no longer works. Searching the internet I found this on Github.
Therefore, edit jail.local, add/edit the following lines, install python3-systemd, restart fail2ban and check with sudo fail2ban-client status sshd
sudo nano /etc/fail2ban/jail.local
[Default]
#Debian 12 has no log files, just journalctl
backend = systemd
#”bantime” is the number of seconds that a host is banned.
bantime = 1d
#”maxretry” is the number of failures before a host get banned.
maxretry = 5
A host is banned if it has generated “maxretry” during the last “findtime”
findtime = 1h
[sshd]
enabled = true
Once you’ve finished editing the jail.local file, save the file by pressing CTRL + X then Y and finally ENTER.
sudo apt install python3-systemd
sudo service fail2ban restart
maxair@maxair:~ $ sudo fail2ban-client status sshd
maxair@maxair:~ $ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
maxair@maxair:~ $