how to install fail2ban on raspberry pi

How to install Fail2ban on your Raspberry Pi?

When you use a Raspberry Pi in a company or have open ports on it, it’s a good idea to think a little about security.
You may not be worried about a Raspberry Pi compromised, but it can become a door to access your entire network.
Fail2ban is a software that detect malicious access attempts to a computer, and block them.

Fail2ban can be installed with apt, as for any Raspberry Pi OS package. Then, the configuration files are under /etc/fail2ban. Editing them will allow defining rules for each service hosted on the Raspberry Pi.

I will show you exactly how to do this in this post, from the theory about Fail2ban to the configuration of the main services you can monitor.

If you’re looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.

An introduction to Fail2ban

Fail2ban is mainly an intrusion prevention tool, but not only.
It works on the services log file, and use pattern to detect malicious activities.

For example, you can check the SSH log file to list bad login and password attempts, and then block the IP address in your firewall.
Everything is done automatically, with a list of things to monitor, and actions to take depending on how many log lines there are in the file.

But you can detect intrusion on any service, like Apache, Postfix or Asterisk.
If there is a log file where you can spot attacks attempts, you can manage it with Fail2ban.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

At my work, I install it each time I prepare a new Linux server, as even with the default configuration Fail2ban can do a decent job.
But it becomes a compelling tool when you exactly know what to configure on it 🙂
I will introduce this to you in this post, but don’t forget there is no limit.

Install Fail2Ban on Raspberry Pi OS

Let’s start with the Fail2ban installation on Raspberry Pi.
As I said in the introduction, it’s easy, but I will take the time in this part to also show you the configuration path and the commands you need to know.

Install RPI OS on Raspberry Pi

As often, the first step to test Fail2ban on your Raspberry Pi is to install Raspberry Pi OS on it.
I’m using Raspberry Pi OS Buster Lite, and you can install it by following this tutorial if needed.

But I don’t think the Raspberry Pi OS version will change anything about this post.
You can also use another distribution if you prefer, as it’s available in most Linux systems.

After the first start (or if you already have Raspberry Pi OS installed), make sure to do these steps before going further:

  • Change the default password: you can’t worry about security and leave the default password 🙂
    passwd
  • Update your system: same reason, make sure to be up-to-date:
    sudo apt update && sudo apt upgrade
  • Enable SSH : you can create the /boot/ssh file or just start the service:
    sudo service ssh start

Ok, you can now move to the Fail2ban installation.

Are you a bit lost in the Linux command line? Check this article first for the most important commands to remember and a free downloadable cheat sheet so you can have the commands at your fingertips.

Install the Fail2ban package

Fail2ban is available in the apt repository.
To install it, use this command:
sudo apt install fail2ban

That’s all 🙂
Fail2ban will start automatically with the default configuration.

Check the configuration

To complete this part, the configuration files location is :
/etc/failban

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

You’ll find here all the default configuration files :

We’ll go into details later, but for now here is what you need to know:

  • fail2ban.conf: It’s the main configuration file with default options for the fail2ban service. You’ll probably never change this.
  • jail.conf: In this file, you’ll find the things you want to monitor (fail2ban call this “jails”). Basically, you define here the main configuration for a future test, like the service port and log file.
  • jail.d folder: You’ll create here a new file for each log file to monitor, with specific options like IP whitelist and ban duration.
  • filter.d folder: Finally, in this folder, you create or edit a filter for each service to monitor. A filter is the definition of what you are looking for in the service log file.

It’s hard to give you an overview without giving more details, but it’s an important step before the configuration part where we’ll look at this in detail 🙂

Use these commands to manage Fail2ban

To finish this, here are a few commands to know about Fail2ban:

  • sudo service fail2ban start | stop | restart | status | reload : Manage the Fail2ban service.
  • sudo fail2ban-server start | stop | restart | status | reload : Same thing, but the status command gives you additional information like the current jails enabled.
  • sudo fail2ban-client <COMMAND> : I can’t give you all the commands available here, but you can use it to get or set the configuration in command line (commands list here).

That’s all for the basic information.
Fail2ban is easy to install, but there are many things you can do with it that I can’t give you in a short post like this.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Edit the Fail2ban configuration files

Now that you know files to check and commands to use, I’ll give teach you how to do this.
I’ll show you a basic sample, and give you ideas about other things you can secure with Fail2ban.

SSH configuration with Fail2ban

The first thing I always use on my servers is the SSH protection.
If your Raspberry Pi is open to the internet or even on a large network, basics security tips about SSH are not always enough to prevent attacks.

Fail2ban can help you to detect excessive login attempts and block corresponding IP addresses.
By default, it’s enabled as soon as you install Fail2ban.
But it’s a good exercise to check what they have done in the configuration.

  • In jail.conf
    • There are defaults values for bantime, findtime and maxretry.
      You can find an explanation of each one in the screenshot below.

      You can change it at the beginning of the file to apply them to all jails, or specify them for each jail if needed.
    • The name of the SSH configuration is “sshd”.
      It fits in 3 lines :

      For a basic configuration with all parameters, you just need to specify port to check, logpath and backend.
  • For a new custom jail, you can set logpath and backend variable to the path-common.conf file, or simply use the entire path here.
  • To enable it, create a new file in jail.d, or add it to the defaults one (/etc/fail2ban/jail.d/defaults-debian.conf)
    After the installation, you just have the sshd jail here :
  • I will not include it here because it’s too long, but the regular expressions to look for is available in the filter.d/sshd.conf file.
    So for a custom check, you have to use a file from filter.d/ or add a new one.

That’s everything you need to know about a basic configuration.

💰 Make Money Sharing Your Raspberry Pi Expertise!
Help others navigate the world of Raspberry Pi with your insights.
Become a RaspberryTips Contributor!

Other services you can configure on Fail2ban

Once you understand how Fail2ban works, you can try to enable or implement it for other services.

I recommend to check directly in the jail and filter folder, as there are already many existing files you can use easily :

fail2ban filter list

Except if you have a very specific service you want to add, you’ll most of the time find what you need here (NginX, Asterisk, FTP server, …)

You can also check the web for specific ideas other people may have already done and shared.
For example, you can find HOWTO guides on the Fail2ban wiki for many additional services .
You can also find more help about Fail2ban on this wiki.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

🛠 This tutorial doesn't work anymore? Report the issue here, so that I can update it!

Reminder: Remember that all the members of my community get access to this website without ads, exclusive courses and much more. You can become part of this community for as little as $5 per month & get all the benefits immediately.

Conclusion

That’s the end of my introduction about Fail2ban.
As many services on Linux and Raspberry Pi, you’ll need to try it to know exactly how it works, and add your first services to gain experience.

If security is an important topic for you (on Raspberry Pi or Linux), I also recommend checking my 17 security tips to secure Linux systems

Whenever you’re ready, here are other ways I can help you:

The RaspberryTips Community: If you want to hang out with me and other Raspberry Pi fans, you can join the community. I share exclusive tutorials and behind-the-scenes content there. Premium members can also visit the website without ads.

Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.

The Raspberry Pi Bootcamp: Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.

Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.

You can also find all my recommendations for tools and hardware on this page.

Similar Posts

2 Comments

  1. Thank you for pointing me to fail2ban! Although it would be great if at the beginning you made clear immediately if _defaults_ after installation are already OK, meaning enabled with sensible default parameters (raspi 4 here, Raspbian OS, SSH main concern as well as any possible entry the OS might have).

    1. fail2ban is good “out of the box”. SSH is the only permitted service, maxretries is 3 in some places and 6 in others, I prefer 3. Default bantime is -1 which means forever. I suggest cp jail.conf to jail.local (in same directory) and edit jail.local as needed, I understand fail2ban checks jail.conf first and then jail.local if it exists.

Comments are closed.