• How To Protect SSH with Fail2Ban on Debian 11

Check whether installed.

systemctl status fail2ban

Installed, but fail2ban not active or running

systemctl start fail2ban
systemctl enable fail2ban

To fail2ban error fix

fail2ban-client start

Installing Fail2ban, if not installed

sudo apt update
sudo apt install fail2ban

Check installation status

systemctl status fail2ban.service

Configuring Fail2ban

Configuration files of fail2ban service is in the /etc/fail2ban directory. There is a file with defaults called jail.conf. In this tutorial, you’ll create jail.local by copying jail.conf

cd /etc/fail2ban
sudo cp jail.conf jail.local

Now you can configure as per requirements

sudo vi jail.local

You can set bantime, findtime, maxretry and you can set destemail to receive email alert.

Individual Jail Settings

vi /etc/fail2ban/jail.local

By default, the SSH service is enabled and all others are disabled.

enabled = true

After configuring all restart

sudo systemctl restart fail2ban

Sample jail.local

#
# The fail2ban local definition file for the default settings.
#

[DEFAULT]
# Destination email for action that send you an email
destemail = hostbriz@gmail.com

# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
sender = fail2ban@imail.hostbriz.com

# Default action. Will block user and send you an email with whois content and log lines.
action = %(action_mwl)s

# ignoreip can be a list of IP addresses, CIDR masks, or DNs hosts. Fail2ban
# # will not ban a host which matches an address in this list.
ignoreip = 127.0.0.1/8 ::1/128 27.147.130.62 123.200.16.218 203.4.187.252 157.119.236.11

# configure nftables
banaction = nftables-multiport
chain = input

# regular banning
bantime = 24h
findtime = 600
maxretry = 5

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 30m

# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
bantime.maxtime = 60d

# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time
# grows by 1, 2, 4, 8, 16 ...
bantime.factor = 2

# purge database entries after
dbpurgeage = 30d

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
mode = aggressive

[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
ignoreip = 127.0.0.1/8 ::1/128 91.229.0.0/24 27.147.130.62 123.200.16.218 203.4.187.252 157.119.236.11