Hint: You can use the Tab key to autocomplete all filenames and directories, so you don't have to type in the complete file or directory name manually.
This tutorial was last checked and updated on April 3, 2023.
- If you havn't already done so, download the program "PuTTY".
- Connect to your root server or VPS/vServer via SSH using PuTTY. To do this, open PuTTY and enter the domain or IP address of your server in the text box named "Host Name (or IP address)". Then click the "OK" button below.
- Update your package lists with the command
apt update
. - Now install any available updates of the packages already installed on your server using the command
apt upgrade -y
. - Next, install the Nano editor, if it's not already installed, with the following command:
apt install nano -y
- Then install Fail2Ban and other required packages with the following command:
apt install fail2ban -y
- The configuration files of Fail2Ban are located in the directory "/etc/fail2ban/". The global configuration file is the file called "jail.conf", but it's overwritten when you update Fail2Ban. Therefore, the configuration must be done in the "jail.local" file. Copy the file "jail.conf" with the command
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
. - Now open this configuration file by executing the command
nano /etc/fail2ban/jail.local
. - Fail2Ban can be used to secure the SSH service as well as other services. Within the "MISCELLANEOUS OPTIONS" (starting at line 44) you can globally define after how many failed login attempts an IP address should be banned and also how long this ban should last. However, you can override these values individually for each service - e.g. for the SSH service in the "SSH servers" section (starting at line 276).
- The "bantime" is the number of seconds that an IP address will be banned. The default is 10 minutes ("10m"). It's recommended to set this value to one hour ("1h").
- The "findtime" parameter allows you to specify the period of time in which the amount of failed logins defined by the "maxretry" parameter must occur so that an IP address is banned. By default, the value for the "findtime" is 10 minutes ("10m") and "maxretry" is set to 5. This means that an IP address will be banned if 5 failed login attempts are made within 10 minutes. These values can be left unchanged.
- By default, the Fail2Ban protection is disabled for all services, so you have to enable it for the SSH service. To do this, go to the "SSH servers" section starting at line 276 of this configuration file and add the line "enabled = true" to the SSH service settings ("[sshd]").
- Note: On Debian, the Fail2Ban protection for your SSH service is the only one that's already enabled because of the file "/etc/fail2ban/jail.d/defaults-debian.conf", but you can set the "enabled" parameter in your "jail.local" file to "true" anyway.
- Save your changes to the configuration by pressing CTRL + X, then hit the "Y" key followed by enter.
- Finally, restart Fail2Ban using the command
systemctl restart fail2ban
to apply your changes. Now Fail2Ban is ready to use and your SSH server is protected against brute force attacks. - In the log file of Fail2Ban at "/var/log/fail2ban.log" you can see what actions have been taken by Fail2Ban (e.g. banning an IP address). You can open this file with the Nano editor (
nano /var/log/fail2ban.log
). - You can also use Fail2Ban to manually ban or unban IP addresses for the SSH server. Use the command
fail2ban-client set sshd banip 123.123.123.123
to ban an IP address andfail2ban-client set sshd unbanip 123.123.123.123
to unban it. Instead of "123.123.123.123" you need to specify the IP address you want to ban or unban.