fail2ban initial setup - guidance
Installing f2b on deb is fairly simple. I had written about on a post before (https://dev.slickalpha.blog/2019/11/installing-lemp-stack-on-debian-buster.html#sv-fail2ban).
First you install f2b
apt install fail2ban -y
Copy config to local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
and make your edits on the local file
nano /etc/fail2ban/jail.local
update default values (port 22 is pre-enabled on f2b)
[DEFAULT]
...
# MISCELLANEOUS OPTIONS...
bantime = 86400
findtime = 86400
maxretry = 2`
Restart f2b
/etc/init.d/fail2ban restart
Check status of sshd 22
fail2ban-client status sshd
Apart from this using key with passphrase should be enough. You can always fine tune f2b.
Update:
Fail2ban basically checks logs for IPs, using regex filters and block matching IP's using iptables.
To list the enabled jails (regex filters for a service in f2b)
fail2ban-client status
To defend a custom port or service,
Check if regex filters for that service is present
ls /etc/fail2ban/filter.d
If they are present, say jail-name.conf
, just enable them on f2b local file
nano /etc/fail2ban/jail.local
Under syntax
[jail-name]
..options..
let's say if sshd was not enabled, add enabled = true
to sshd jail
[sshd]
enabled = true
....
To test the jails against your logs and update regex if missing
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
If jails do not exist for a service or port, check online for those filters, and add those filters to /etc/fail2ban/filter.d
and enable it on local config file.