When you use a Raspberry Pi in a company or have open ports on it, it’s a good idea to think a little about security.
You may not be worried about a Raspberry Pi compromised, but it can become a door to access your entire network.
Fail2ban is a software that detect malicious access attempts to a computer, and block them.
Fail2ban can be installed with apt, as for any Raspberry Pi OS package. Then, the configuration files are under /etc/fail2ban. Editing them will allow defining rules for each service hosted on the Raspberry Pi.
I will show you exactly how to do this in this post, from the theory about Fail2ban to the configuration of the main services you can monitor.
If you are looking to quickly progress on Raspberry Pi, you can check out my e-book here. It’s a 30-day challenge, where you learn one new thing every day until you become a Raspberry Pi expert. The first third of the book teaches you the basics, but the following chapters include projects you can try on your own.
An introduction to Fail2ban
If you are lost in all these new words and abbreviations, request my free Raspberry Pi glossary here (PDF format)!
Fail2ban is mainly an intrusion prevention tool, but not only.
It works on the services log file, and use pattern to detect malicious activities.
For example, you can check the SSH log file to list bad login and password attempts, and then block the IP address in your firewall.
Everything is done automatically, with a list of things to monitor, and actions to take depending on how many log lines there are in the file.
At my work, I install it each time I prepare a new Linux server, as even with the default configuration Fail2ban can do a decent job.
But it becomes a compelling tool when you exactly know what to configure on it 🙂
I will introduce this to you in this post, but don’t forget there is no limit.
Install Fail2Ban on Raspberry Pi OS
Let’s start with the Fail2ban installation on Raspberry Pi.
As I said in the introduction, it’s easy, but I will take the time in this part to also show you the configuration path and the commands you need to know.
Install RPI OS on Raspberry Pi
As often, the first step to test Fail2ban on your Raspberry Pi is to install Raspberry Pi OS on it.
I’m using Raspberry Pi OS Buster Lite, and you can install it by following this tutorial if needed.
But I don’t think the Raspberry Pi OS version will change anything about this post.
You can also use another distribution if you prefer, as it’s available in most Linux systems.
After the first start (or if you already have Raspberry Pi OS installed), make sure to do these steps before going further:
- Change the default password: you can’t worry about security and leave the default password 🙂
- Update your system: same reason, make sure to be up-to-date:
sudo apt update && sudo apt upgrade
- Enable SSH : you can create the /boot/ssh file or just start the service:
sudo service ssh start
Ok, you can now move to the Fail2ban installation.
A bit lost in the Linux command line? Check this article first, which will give you the most important commands to remember, and a free cheat sheet you can download to have the commands at your fingertips.
Install the Fail2ban package
Fail2ban is available in the apt repository.
To install it, use this command:
sudo apt install fail2ban
That’s all 🙂
Fail2ban will start automatically with the default configuration.
Check the configuration
To complete this part, the configuration files location is :
You’ll find here all the default configuration files :
We’ll go into details later, but for now here is what you need to know:
- fail2ban.conf: It’s the main configuration file with default options for the fail2ban service. You’ll probably never change this.
- jail.conf: In this file, you’ll find the things you want to monitor (fail2ban call this “jails”). Basically, you define here the main configuration for a future test, like the service port and log file.
- jail.d folder: You’ll create here a new file for each log file to monitor, with specific options like IP whitelist and ban duration.
- filter.d folder: Finally, in this folder, you create or edit a filter for each service to monitor. A filter is the definition of what you are looking for in the service log file.
It’s hard to give you an overview without giving more details, but it’s an important step before the configuration part where we’ll look at this in detail 🙂
Use these commands to manage Fail2ban
To finish this, here are a few commands to know about Fail2ban:
- sudo service fail2ban start | stop | restart | status | reload : Manage the Fail2ban service.
- sudo fail2ban-server start | stop | restart | status | reload : Same thing, but the status command gives you additional information like the current jails enabled.
- sudo fail2ban-client <COMMAND> : I can’t give you all the commands available here, but you can use it to get or set the configuration in command line (commands list here).
That’s all for the basic information.
Fail2ban is easy to install, but there are many things you can do with it that I can’t give you in a short post like this.
Edit the Fail2ban configuration files
Now that you know files to check and commands to use, I’ll give teach you how to do this.
I’ll show you a basic sample, and give you ideas about other things you can secure with Fail2ban.
SSH configuration with Fail2ban
The first thing I always use on my servers is the SSH protection.
If your Raspberry Pi is open to the internet or even on a large network, basics security tips about SSH are not always enough to prevent attacks.
Fail2ban can help you to detect excessive login attempts and block corresponding IP addresses.
By default, it’s enabled as soon as you install Fail2ban.
But it’s a good exercise to check what they have done in the configuration.
- In jail.conf
- There are defaults values for bantime, findtime and maxretry.
You can find an explanation of each one in the screenshot below.
You can change it at the beginning of the file to apply them to all jails, or specify them for each jail if needed.
- The name of the SSH configuration is “sshd”.
It fits in 3 lines :
For a basic configuration with all parameters, you just need to specify port to check, logpath and backend.
- There are defaults values for bantime, findtime and maxretry.
- For a new custom jail, you can set logpath and backend variable to the path-common.conf file, or simply use the entire path here.
- To enable it, create a new file in jail.d, or add it to the defaults one (/etc/fail2ban/jail.d/defaults-debian.conf)
After the installation, you just have the sshd jail here :
- I will not include it here because it’s too long, but the regular expressions to look for is available in the filter.d/sshd.conf file.
So for a custom check, you have to use a file from filter.d/ or add a new one.
That’s everything you need to know about a basic configuration.
Other services you can configure on Fail2ban
Once you understand how Fail2ban works, you can try to enable or implement it for other services.
I recommend to check directly in the jail and filter folder, as there are already many existing files you can use easily :
Except if you have a very specific service you want to add, you’ll most of the time find what you need here (NginX, Asterisk, FTP server, …)
You can also check the web for specific ideas other people may have already done and shared.
For example, you can find HOWTO guides on the Fail2ban wiki for many additional services .
You can also find more help about Fail2ban on this wiki.
Grab your free PDF file with all the commands you need to know on Raspberry Pi!
That’s the end of my introduction about Fail2ban.
As many services on Linux and Raspberry Pi, you’ll need to try it to know exactly how it works, and add your first services to gain experience.
If security is an important topic for you (on Raspberry Pi or Linux), I also recommend checking my 17 security tips to secure Linux systems
Support us: Join the community on Patreon to show your support, get behind-the-scenes content and other awesome perks!
Raspberry Pi Resources
Not sure where to start?
Understand everything about the Raspberry Pi, stop searching for help all the time, and finally enjoy completing your projects.
Watch the Raspberry Pi Bootcamp course now
Master your Raspberry Pi in 30 days
Don’t want the basic stuff only? If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiples projects with step-by-step guides.
Download the e-book
If you just want to hang out with me and show your support, you can also join the Patreon community. I share behind-the-scenes content there and give you early access to my content. You’ll also get a shoutout when you join.
More details here
Need help to build something with Python?
Create, understand and improve any Python script for your Raspberry Pi.
Learn the essentials, step-by-step, without losing time understanding useless concepts.
Get the e-book now
You can also find all my recommendations for tools and hardware on this page.