How to install Fail2Ban on the Raspberry Pi
About: Fail2Ban is a daemon that scans defined log files and bans IP Addresses that show the malicious signs. It protects your Raspberry Pi from too many password failures or hackers seeking for exploits. It is a must have tool to protect your from intruders to your server or network especially if you allow outside SSH traffic or any traffics from an outside network to your Raspberry Pi. Fail2Ban supports a lot of services (sshd, apache, qmail, proftpd, sasl, asterisk, etc) and can be integrated with your IPTables.
Fail2Ban is very easy to install and setup and will drastically improve security on your Raspberry Pi. Fail2Ban works by monitoring your logs for failures and depending on the settings you setup it will ban or timeout an IP Address for a certain amount of time if it fails to login to your server. It is a great tool and a must have tool to protect your from brute-force attacks.
Objective: To install and setup Fail2Ban to increase security on the Raspberry Pi
Material: You will need the following:
- Raspberry Pi (Click the link to check out the price on Amazon. Usually around $37 with free shipping)
Instructions: Let’s start off by opening the terminal on your Raspberry Pi or by connecting to it over SSH
Lets install Fail2Ban by typing the following commands:
sudo apt-get update
sudo apt-get install fail2ban
The initial settings for Fail2Ban are located at ‘/etc/fail2ban/jail.conf’. You can see all the default settings for many services that you are being protected against. However do not edit any of these settings in your ‘/etc/fail2ban/jail.conf’ file. You will want to edit the ‘/etc/fail2ban/jail.local’ file and add your configurations there.
Lets edit our SSH Fail2Ban configurations. Open up the ‘/etc/fail2ban/jail.local’ file with the following command:
sudo nano /etc/fail2ban/jail.local
Your jail.local file should be empty. Lets add the following settings:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3
After pasting the settings hit CTRL+X and then Y to save the configuration file. Below is what each line in the configuration means and what you can edit.
enabled: Determines whether or not the filter is turned on.
port: The port Fail2Ban should be referencing in regards to the service. If using the default port, then the service name can be placed here. If you changed your SSH port to something else you would need to write the new port number here.
filter: The name of the file located in ‘/etc/fail2ban/filter.d’ that contains the failregex information used to parse log files appropriately.
logpath: The path to your log file.
bantime: The length of time in seconds that the IP Address will be banned for. In my example I used ‘900’ seconds which would be 15 minutes. If you want to ban an IP Address permanently then you will set the bantime to ‘-1’.
banaction: The action to take when banning an IP Address.
findtime: The length of time between login attempts before a ban is set. For example, if Fail2Ban is set to ban an IP after three failed log-in attempts, those three attempts must occur within the set findtime limit. The findtime value should be a set number of seconds.
maxretry: How many attempts can be made to access the server from a single IP before a ban is imposed.
Restart Fail2Ban with the following command to make your configuration settings live:
sudo service fail2ban restart
At this point Fail2Ban is configured and your server will be protected from brute-force attacks however all bans will be cleared upon restarting Fail2Ban or rebooting the server. If you manage to ban yourself you can simply restart your Raspberry Pi.
You can check your IPTables list with the following command to see all your banned IP Addresses:
sudo iptables -L -n --line
If you need to unban an IP Address use this command. Change the number to the line you want to remove:
sudo iptables -D fail2ban-ssh 1