Setting up fail2ban on Debian

Setting up fail2ban on Debian is an effective way to protect your server from brute-force attacks by banning IP addresses that show malicious signs, such as repeated failed login attempts. Here's a step-by-step guide on how to set it up:

Step 1: Install fail2ban

  1. Update your package index:

    bash 复制代码
    sudo apt update
  2. Install fail2ban:

    bash 复制代码
    sudo apt install fail2ban

Step 2: Configure fail2ban

After installing fail2ban, you need to configure it to protect your services, such as SSH. You will be editing configuration files located in /etc/fail2ban.

  1. Copy the default configuration file for local use:

    bash 复制代码
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  2. Edit the jail.local file:

    Open the configuration file in a text editor:

    bash 复制代码
    sudo nano /etc/fail2ban/jail.local
  3. Configure basic settings:

    Look for the [DEFAULT] section and modify the following options:

    • Ban Time: The duration of the ban (e.g., 10 minutes).

      ini 复制代码
      bantime = 10m
    • Find Time: The duration within which the number of failed attempts is checked (e.g., 10 minutes).

      ini 复制代码
      findtime = 10m
    • Max Retry: The number of failed attempts allowed before a ban is applied.

      ini 复制代码
      maxretry = 5
    • Unban Time (optional): If you want the ban to last indefinitely, use:

      ini 复制代码
      bantime = -1
  4. Enable SSH protection : Look for the [sshd] section and make sure it is enabled by setting:

    ini 复制代码
    [sshd]
    enabled = true
  5. Whitelist trusted IP addresses (optional):

    If you have specific IPs or IP ranges you want to whitelist (e.g., your office or home IP), add them to the ignoreip directive under the [DEFAULT] section:

    ini 复制代码
    ignoreip = 127.0.0.1/8 ::1 <your IP here>
  6. Additional jail configurations :
    fail2ban comes with pre-configured jails for various services such as Nginx, Postfix, Dovecot, etc. If you want to protect these services, find the relevant section in jail.local, and set enabled = true for the ones you wish to protect.

Step 3: Start and Enable fail2ban

Once your configuration is ready, start and enable fail2ban:

bash 复制代码
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Step 4: Verify fail2ban Status

To check the status of fail2ban and ensure it is running correctly:

bash 复制代码
sudo systemctl status fail2ban

You can also check the status of a specific jail, like the SSH jail:

bash 复制代码
sudo fail2ban-client status sshd

This will show the currently active jails, banned IPs, and other information.

Step 5: Monitor Logs

fail2ban logs all its actions in the log file /var/log/fail2ban.log. You can monitor this file to ensure fail2ban is working as expected:

bash 复制代码
sudo tail -f /var/log/fail2ban.log

Step 6: Unban an IP (if needed)

If you accidentally ban your own IP or another trusted IP, you can unban it using the following command:

bash 复制代码
sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

This setup should provide basic protection for your server from brute-force attacks. You can expand the protection by configuring more jails for additional services based on your server's needs.

To disable sshd from listening on IPv4 in Debian, you need to modify the SSH server configuration file (/etc/ssh/sshd_config). Follow these steps:

  1. Edit the sshd_config file:

    bash 复制代码
    sudo nano /etc/ssh/sshd_config
  2. Find the ListenAddress directives in the file. By default, SSH listens on all available network interfaces and IP addresses. To restrict it to only IPv6, you will need to add or modify a ListenAddress directive to only listen on IPv6.

  3. Set SSH to listen only on IPv6 :

    Add the following line to specify that SSH should only listen to IPv6 addresses:

    ListenAddress ::
    

    This line tells sshd to listen on all available IPv6 addresses.

  4. Save and exit the file by pressing Ctrl+X, then Y, and Enter.

  5. Restart the SSH service to apply the changes:

    bash 复制代码
    sudo systemctl restart sshd

This will prevent SSH from listening on IPv4 addresses while still allowing connections over IPv6. You can confirm this by running the following command:

bash 复制代码
sudo ss -tuln | grep ssh

You should see that SSH is only listening on IPv6 (::) and not on any IPv4 addresses.

To allow both inbound and outbound traffic for TCP port 4662 and UDP port 4672 using ufw, you can use the following commands:

  1. Allow inbound and outbound TCP traffic on port 4662:

    bash 复制代码
    sudo ufw allow 4662/tcp
  2. Allow inbound and outbound UDP traffic on port 4672:

    bash 复制代码
    sudo ufw allow 4672/udp

These commands will enable both inbound and outbound traffic for the specified ports. You can verify the rules with:

bash 复制代码
sudo ufw status

This will show you the list of active rules in your ufw configuration.

相关推荐
cominglately2 小时前
centos单机部署seata
linux·运维·centos
CircleMouse2 小时前
Centos7, 使用yum工具,出现 Could not resolve host: mirrorlist.centos.org
linux·运维·服务器·centos
Karoku0663 小时前
【k8s集群应用】kubeadm1.20高可用部署(3master)
运维·docker·云原生·容器·kubernetes
木子Linux3 小时前
【Linux打怪升级记 | 问题01】安装Linux系统忘记设置时区怎么办?3个方法教你回到东八区
linux·运维·服务器·centos·云计算
mit6.8243 小时前
Ubuntu 系统下性能剖析工具: perf
linux·运维·ubuntu
watermelonoops3 小时前
Windows安装Ubuntu,Deepin三系统启动问题(XXX has invalid signature 您需要先加载内核)
linux·运维·ubuntu·deepin
阿甘知识库4 小时前
宝塔面板跨服务器数据同步教程:双机备份零停机
android·运维·服务器·备份·同步·宝塔面板·建站
saynaihe4 小时前
安全地使用 Docker 和 Systemctl 部署 Kafka 的综合指南
运维·安全·docker·容器·kafka
zhou周大哥5 小时前
linux 安装 ffmpeg 视频转换
linux·运维·服务器
the丶only6 小时前
单点登录平台Casdoor搭建与使用,集成gitlab同步创建删除账号
linux·运维·服务器·docker·gitlab