How to install Fail2ban on your Raspberry Pi?

how to install fail2ban on raspberry pi

When you use a Raspberry Pi in a company or have open ports on it, it’s a good idea to think a little about security
In our world, protecting our devices is key
You may not be worried about a Raspberry Pi compromised, but it can become an easy door to your entire network
Fail2ban is easy to install on any Linux system, and will improve security if properly configured

How to install Fail2ban on your Raspberry Pi?
Fail2ban allows you to detect malicious access attempts to your device, and block them
The installation can be done as any Raspbian package, using apt
But where the difficulty comes from is the configuratio
n

I will show you exactly how to do this in this post, from the theory about Fail2ban to the configuration of the main services you can monitor

What is Fail2ban?

Fail2ban is mainly an intrusion prevention tool, but not only
It works on the services log file, and use pattern to detect malicious activities

For example, you can check the SSH log file to list bad login and password attempts, and then block the IP address in your firewall
Everything is done automatically, with a list of things to monitor, and actions to take depending on how many log lines there are in the file

But you can detect intrusion on any service, like Apache, Postfix or Asterisk
If there is a log file where you can spot attacks attempts, you can manage it with Fail2ban

At my work, I install it each time I prepare a new Linux server, as even with the default configuration Fail2ban can do a decent job
But it becomes a compelling tool when you exactly know what to configure on it 🙂
I will introduce this to you in this post, but don’t forget there is no limit

Fail2ban installation

Let’s start with the Fail2ban installation on Raspberry Pi
As I said in introduction, it’s easy but I will take the time in this part to also show you the configuration path and the commands you need to know

Install Raspbian on your Raspberry Pi

As often, the first step to test Fail2ban on your Raspberry Pi is to install Raspbian on it
I’m using Raspbian Buster Lite, and you can install it by following this tutorial if needed

But I don’t think the Raspbian version will change anything about this post
You can also use another distribution if you prefer, as it’s available in most Linux systems

After the first start (or if you already have Raspbian installed), make sure to do these steps before going further:

  • Change the default password: you can’t worry about security and leave the default password 🙂
    passwd
  • Update your system: same reason, make sure to be up to date
    sudo apt update && sudo apt upgrade
  • Enable SSH : you can create the /boot/ssh file or just start the service
    sudo service ssh start

Ok, you can now move to the Fail2ban installation

Install Fail2ban

Fail2ban is available in the apt repository
To install it, use this command:
sudo apt install fail2ban

That’s all 🙂
Fail2ban will start automatically with the default configuration

Main configuration files

To complete this part, the configuration files location is :
/etc/failban

You’ll find here all the default configuration files :

We’ll go into details later, but for now here is what you need to know:

  • fail2ban.conf: It’s the main configuration file with default options for the fail2ban service. You’ll probably never change this
  • jail.conf: In this file, you’ll find the things you want to monitor (fail2ban call this “jails”). Basically, you define here the main configuration for a future test, like the service port and log file
  • jail.d folder: You’ll create here new file for each log file to monitor, with specific options like IP whitelist and ban duration
  • filter.d folder: Finally, in this folder you create or edit a filter for each service to monitor. A filter is the definition of what you are looking for in the service log file

It’s hard to give you an overview without giving more details, but it’s an important step before the configuration part where we’ll look at this in detail 🙂

Fail2ban useful commands

To finish this, here are a few commands to know about Fail2ban:

  • sudo service fail2ban start | stop | restart | status | reload : Manage the Fail2ban service
  • sudo fail2ban-server start | stop | restart | status | reload : Same thing but the status command gives you additional information like the current jails enabled
  • sudo fail2ban-client <COMMAND> : I can’t give you all the commands available here, but you can use it to get or set the configuration in command line (commands list here)

That’s all for the basic information
Fail2ban is easy to install but there are many things you can do with it that I can’t give you in a short post like this

Fail2ban configuration

Now that you know files to check and commands to use, I’ll give teach you how to do this
I’ll show you a basic sample, and give you ideas about other things you can secure with Fail2ban

SSH configuration with Fail2ban

The first thing I always use on my servers is the SSH protection
If your Raspberry Pi is open to the internet or even on a large network, basics security tips about SSH are not always enough to prevent attacks

Fail2ban can help you to detect excessive login attempts and block corresponding IP addresses
By default, it’s enabled as soon as you install Fail2ban
But it’s a good exercise to check what they have done in the configuration

  • In jail.conf
    • There are defaults values for bantime, findtime and maxretry
      You can find an explanation of each one in the screenshot below

      You can change it at the beginning of the file to apply them to all jails, or specify them for each jail if needed
    • The name of the SSH configuration is “sshd”
      It fits in 3 lines :

      For a basic configuration with all parameters, you just need to specify port to check, logpath and backend
  • For a new custom jail, you can set logpath and backend variable to the path-common.conf file, or simply use the entire path here
  • To enable it, create a new file in jail.d, or add it to the defaults one (/etc/fail2ban/jail.d/defaults-debian.conf)
    After the installation, you just have the sshd jail here :
  • I will not include it here because it’s too long, but the regular expressions to look for is available in the filter.d/sshd.conf file
    So for a custom check you have to use a file from filter.d/ or add a new one

That’s everything you need to know about a basic configuration

Other services you can configure on Fail2ban

Once you understand how Fail2ban works, you can try to enable or implement it for other services

I recommend to check directly in the jail and filter folder, as there are already many existing files you can use easily :

fail2ban filter list

Except if you have a very specific service you want to add, you’ll most of the time find what you need here (NginX, Asterisk, FTP server, …)

You can also check the web for specific ideas other people may have already done and shared
For example, you can find HOWTO guides on the Fail2ban wiki for many additional services
You can also find more help about Fail2ban on this wiki

Conclusion

That’s the end of my introduction about Fail2ban
As many services on Linux and Raspberry Pi, you’ll need to try it to know exactly how it works, and add your first services to gain experience

If you have a few services or jail you want to share that can be useful on a Raspberry Pi, feel free to leave a comment below
This can help a lot the Raspberry Pi community!

If security is an important topic for you (on Raspberry Pi or Linux), I also recommend checking my 17 security tips to secure Linux systems

Leave a Reply

Your email address will not be published. Required fields are marked *