Setup Fail2ban on Debian 9

Update the system

#apt update && apt upgrade -y

Modify SSH port (Optional), Change port number 22, for example to 3000

#sed -i "s/#Port 22/Port 3000/g" /etc/ssh/sshd_config
#systemctl restart sshd.service

Debian 8: open the /etc/ssh/sshd_config, change port 22 to 3000

#vim /etc/ssh/sshd_config

Update IPTables rules, change SSH port on /etc/iptables.up.rules config

#/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
#/usr/sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT

Save the updated IPTables rules to a file for persistence purposes:

#/usr/sbin/iptables-save > /etc/iptables.up.rules
#touch /etc/network/if-pre-up.d/iptables
#chmod +x /etc/network/if-pre-up.d/iptables
#echo '#!/bin/sh' >> /etc/network/if-pre-up.d/iptables
#echo '/sbin/iptables-restore < /etc/iptables.up.rules' >> /etc/network/if-pre-up.d/iptables

Debian 10 IPtables persistent make your iptables rules persistent install iptables-persistent package:

#apt-get install iptables-persistent

Debian 10 IPtables Save to update iptables with new rules use IPtables Save

#iptables-save > /etc/iptables/rules.v4
#ip6tables-save > /etc/iptables/rules.v6

If UFW please follow command belows;

#sudo ufw allow 3000/tcp
#sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
3000/tcp                     ALLOW       Anywhere
3000/tcp (v6)                ALLOW       Anywhere (v6)

Removing UFW port 22 Firewall Rule by Checking UFW status with the parameter numbered. This allows you to select a rule by entry number.

#sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Apache DENY IN Anywhere
[ 2] 22 ALLOW IN Anywhere
Delete the rules by the numbers in square brackets[]

#sudo ufw delete 2

Install and configure fail2ban to protect SSH

#apt install fail2ban -y
#systemctl status fail2ban

Let’s see how did fail2ban alter iptables rules:

#$/usr/sbin/iptables -L -n -v

There is a new chain f2b-sshd in iptables config that is referenced in the INPUT chain rule:

Chain INPUT (policy ACCEPT 777 packets, 80681 bytes)
pkts bytes target prot opt in out source destination
1250 93157 f2b-sshd tcp -- * * multiport dports 3000
(... omitted for brevity ...)
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
1223 90505 RETURN all -- * *

fail2ban package contains a tool called fail2ban-client. It allows you to check the status of the service and interact with it (e.g., it lets you manually ban and unban IP addresses, enable and disable jails, etc.)

See which jails are active:

#fail2ban-client status
|- Number of jail: 1
`- Jail list: sshd

Check the statistics for sshd jail:

#fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: IP address is banned from accessing SSH server. fail2ban does this by adding an entry in f2b-sshd iptables chain:

Chain f2b-sshd (1 references)
pkts bytes target     prot opt in     out     source               destination
12   696 REJECT     all  --  *      *            reject-with icmp-port-unreachable
1279 97855 RETURN     all  --  *      *  

Configuring fail2ban

The default Fail2ban filter settings will be stored in /etc/fail2ban/jail.conf file and the /etc/fail2ban/jail.d/defaults-debian.conf file

Keep in mind that you should not make any changes to that file as it might be overwritten during fail2ban upgrade.

In case you need to adjust the configuration, create /etc/fail2ban/jail.local config file with the desired changes. Please not to add same values, but only the values you want to customize.

If you want to change the default ban duration (bantime) and the number of failed attempts (maxretry), add the new config for example /etc/fail2ban/jail.local

#vim /etc/fail2ban/jail.local

Insert code below

#Set ban time to 1 hours
bantime = 3600
#Decrease the number of failed login attempts before banning to 3

Restart the service:

#systemctl restart fail2ban

Source :