How To Secure SSH with Fail2Ban on Debian 11

Debian 11, the latest version of the renowned Linux distribution, is an excellent choice for hosting servers due to its robustness and reliability. However, even the most secure operating system requires diligent safeguarding. One of the fundamental steps in securing your server is protecting your SSH service. In this comprehensive guide, we’ll walk you through the process configuration of how to protect and Secure SSH with Fail2Ban on Debian 11

What is SSH and Why Secure It?

Basically SSH (Secure Shell) is a protocol that allows you to access a remote server securely. It’s a fundamental tool for server administration, file transfers, and more. However, SSH can be a prime target for malicious actors trying to gain unauthorized access to your server.

By securing SSH, you ensure that only authorized users can connect to your server, reducing the risk of intrusion and potential data breaches. Fail2Ban is a robust and user-friendly tool that helps achieve this.

Prerequisites

Before we dive into how to protect and Secure SSH with Fail2Ban on Debian 11, make sure you have the following:

• An active Debian 11 server and a regular user with sudo privileges. If you’re unsure about how to create a user with these privileges, feel free to check out our guide on Initial Setup Ubuntu Server 22.04: Secure and Efficient.
• If you’d like to test the ban functionality intentionally, you may also want to have a second server ready to connect to your primary server.

Installing Fail2Ban

Before we dive into protecting SSH, we need to install Fail2Ban. Open your terminal and run the following command:

$ sudo apt update
$ sudo apt install fail2ban

This will install Fail2Ban on your Debian 11 server. After installation, Fail2ban will automatically establish a background service. Nonetheless, it remains deactivated by default due to the potential undesirable consequences of some default settings. You can confirm this status by employing the ‘systemctl’ following command.

$ systemctl status fail2ban.service

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled
     Active: active (running) since Tue 2023-10-29 12:42:10 UTC; 17s ago
       Docs: man:fail2ban(1)
    Process: 1969 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS
   Main PID: 1970 (fail2ban-server)
      Tasks: 5 (limit: 1125)
     Memory: 15.8M
        CPU: 255ms
     CGroup: /system.slice/fail2ban.service
             └─1970 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

You have the option to enable Fail2ban immediately; however, it’s a good idea to first explore some of its features.

Once the installation is complete, we can proceed with the configuration.

Secure SSH with Fail2Ban

SSH Configuration

Open the SSH configuration file by running:

$ sudo nano /etc/ssh/sshd_config

Find the following line and set the value to ‘yes’:

PasswordAuthentication no

This ensures that password-based authentication is disabled, making your server more secure.

Fail2Ban Configuration

Now, let’s configure Fail2Ban to monitor SSH. Create a custom configuration file for SSH by running:

$ sudo nano /etc/fail2ban/jail.d/ssh.local

Add the following content to the file:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1800
ignoreip = 127.0.0.1/8

This configuration establishes a Fail2ban jail titled “[sshd]” designed to safeguard the SSH (Secure Shell) service. Let’s dissect each element:

• enabled = true: This line affirms that the “[sshd]” jail is in an active state, signifying that it actively monitors and guards against unauthorized access attempts.
• port = ssh: This indicates the specific port number, which is typically 22, where the SSH service operates. Fail2ban diligently watches this port for any suspicious activities.
• filter = sshd: This points to the name of the filter that needs to be applied to supervise the SSH service. The filter rules articulate what events to scrutinize and how to identify potentially malicious behaviors.
• logpath = /var/log/auth.log: This pinpoints the location of the log file, typically found at /var/log/auth.log, where authentication-related SSH events are documented. Fail2ban diligently scans this log file for signs of unauthorized access attempts.
• maxretry = 3: This establishes the threshold for the maximum number of allowable failed login attempts before Fail2ban takes responsive action. If there are three or more consecutive failed attempts originating from the same IP address, Fail2ban will intervene.
• bantime = 1800: This dictates the duration, measured in seconds, for which an IP address remains banned once it surpasses the maximum threshold for failed attempts. In this case, the ban endures for 1800 seconds, which equates to 30 minutes.
• ignoreip = 127.0.0.1/8: Any attempts originating from these listed IP addresses will not be counted towards the maximum retry count. Notably, localhost (127.0.0.1) is included in this list. This configuration is crucial as it prevents you from accidentally locking yourself out of your own Fail2ban server.

Restart Services

Now, restart both the SSH and Fail2Ban services:

$ sudo systemctl restart ssh
$ sudo systemctl restart fail2ban

Fail2Ban is now configured to protect your SSH service. If an IP address exceeds the maximum login attempts, it will be temporarily banned.

Checking Fail2Ban Status

To check the status of Fail2Ban and monitor banned IP addresses, run the following command:

$ sudo fail2ban-client status sshd

You will see a list of banned IP addresses and their corresponding jails.

Customizing Fail2Ban Settings

If you wish to customize configuration Fail2Ban’s settings, you can edit the /etc/fail2ban/jail.local file. This file allows you to change parameters like the number of allowed retries and the ban duration.

Conclusion

By following this straightforward guide, you’ve learned how to secure SSH with Fail2Ban on Debian 11. Your server is now better protected against unauthorized access, reducing the risk of security breaches.

First thing to remember, server security is an ongoing process. Regularly updating your server and monitoring your logs is essential to maintaining a secure environment. Keep your Debian 11 server and SSH access safe with the power of Fail2Ban.

To Sum It Up

• Debian 11 is a stable choice for hosting servers.
• SSH is a secure protocol for remote server access.
• Fail2Ban is an essential tool for protecting SSH from unauthorized access.
• The installation and configuration of Fail2Ban are straightforward.
• Regularly monitor your server to maintain a secure environment.

Also Read Our Other Guides :

• How To Secure SSH with Fail2Ban on Ubuntu 22.04
• How To Secure SSH with Fail2Ban on CentOS 7
• How To Secure SSH with Fail2Ban on Rocky Linux 9

Finally, now you have learned how to protect and Secure SSH with Fail2Ban, bolster your server’s security, and keep your data safe on Debian 11.