What is Fail2Ban
Fail2Ban is an intrusion prevention software (IPS) that scans your servers' logs against authorization failures to blacklist IP addresses that cause them. Such malicious IPs are blocked on a firewall level for a defined period. Usually, Fail2Ban uses iptables for blocking IPs.
I'm a Debian guy :) and this is why this tutorial covers Debian 10. If you use another Linux distribution you must adjust this tutorial to the specifics of your distribution.
I also assumed that you have correctly installed and configured ssh server.
Step by step installation and configuration guide
You can install Fail2Ban with apt-get:
sudo apt-get install fail2ban
Press y when apt-get will ask you to continue. Depending on your hardware installation should take few seconds.
It is a good habit not to change the default configuration file. This is mostly because of compatibility with future Fail2Ban upgrades. So the first thing you need to do is to create your local config file. You can create an empty file or you can copy default configuration".
# if you want to have an empty file just create it: sudo touch /etc/fail2ban/jail.local # or copy current one: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now add/edit local configuration:
So it will contain:
[sshd] # if you use port other then 22 for ssh add it here. port = ssh,2222 logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true
Your first line of protection is ready to be started. Before you do it - be sure you will be able to access your server in case something goes wrong. Remember that by default you will be blacklisted for 10 minutes after 5 failed login attempts within 10 minutes. You can tune this up in your jail.local file - just adjust the below values:
[DEFAULT] # change 192.168.1.1 to your IP so you will not lock yourself ignoreip = 192.168.1.1 bantime = 10m findtime = 10m maxretry = 5
Now you are ready to go live:
# Restart Fail2Ban with this command: systemctl restart fail2ban
And that's it.
Stay secured :)