How to Configure Fail2Ban for SSH Brute Force Protection in Debian 12 Bookworm

Securing your server against brute force attacks is an essential step in maintaining system integrity. One of the most effective tools for this is Fail2Ban, an intrusion prevention software that monitors system logs and bans IP addresses that exhibit suspicious behavior. This guide will walk you through the installation and configuration of Fail2Ban on Debian 12 Bookworm to protect your SSH service.

Prerequisites

Before proceeding, ensure that:

• You have a Debian 12 Bookworm system.
• You have sudo or root privileges.
• SSH is installed and running on your server.
• The ufw firewall is installed and enabled (optional but recommended).

Step 1: Install Fail2Ban

Debian 12 includes Fail2Ban in its default repositories, making installation straightforward. Open a terminal and run:

sudo apt update
sudo apt install fail2ban -y

Once installed, verify its status:

sudo systemctl status fail2ban

The output should indicate that the service is active and running.

Step 2: Configure Fail2Ban for SSH Protection

Fail2Ban uses configuration files stored in /etc/fail2ban/. The default settings are defined in /etc/fail2ban/jail.conf, but it’s best practice to create a local configuration file to avoid overwrites during updates.

2.1 Create a Local Configuration File

Copy the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, edit the newly created file:

sudo nano /etc/fail2ban/jail.local

2.2 Modify the SSH Jail Settings

Scroll down to the [sshd] section and ensure it is enabled:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600

Explanation of parameters:

• enabled = true – Enables Fail2Ban for SSH.
• port = ssh – Protects the SSH service.
• filter = sshd – Uses the SSHD filter rules.
• logpath = /var/log/auth.log – The log file where SSH authentication failures are recorded.
• maxretry = 5 – Allows 5 failed attempts before banning an IP.
• findtime = 600 – The time window (in seconds) within which failures are counted (10 minutes in this case).
• bantime = 3600 – Duration (in seconds) an IP remains banned (1 hour).

2.3 Modify Default Ban Policy (Optional)

You can modify the global ban policy in the [DEFAULT] section. For example, set a permanent ban for repeated offenders:

bantime.increment = true
bantime.factor = 2
bantime.maxtime = 86400

This increases the ban time exponentially for repeat offenders, with a maximum ban of 24 hours.

Step 3: Restart and Enable Fail2Ban

After configuring the settings, restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

Enable it to start at boot:

sudo systemctl enable fail2ban

Step 4: Verify Fail2Ban Functionality

Check the jail status to ensure SSH protection is active:

sudo fail2ban-client status sshd

You should see output similar to:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  `- File list: /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 2
   `- Banned IP list: 192.168.1.100

Step 5: Manually Unban an IP (If Needed)

If an IP is accidentally banned, you can unban it with:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

For example:

sudo fail2ban-client set sshd unbanip 192.168.1.100

Step 6: Configure Fail2Ban to Work with UFW (Optional)

If you use UFW, ensure that Fail2Ban is integrated correctly. Edit the configuration file:

sudo nano /etc/fail2ban/jail.local

Modify the banaction parameter in the [DEFAULT] section:

banaction = ufw

Restart Fail2Ban:

sudo systemctl restart fail2ban

You can check UFW rules applied by Fail2Ban using:

sudo ufw status

Conclusion

Setting up Fail2Ban on Debian 12 Bookworm is an effective way to protect your server against SSH brute force attacks. By configuring Fail2Ban correctly, you can automatically ban malicious IP addresses, reducing security risks significantly. For added security, consider using SSH key authentication and disabling password-based logins.

By following these steps, you have successfully enhanced the security of your Debian 12 system against brute force attacks. Regularly monitor Fail2Ban logs and adjust settings as needed to keep your server secure.