How to Install and Configure Fail2ban on Linux for SSH Protection

Installing Fail2ban on Linux

• 💡 Fail2ban is not installed by default on Linux and needs to be installed via the terminal.
• 🚀 To install, use the command sudo apt install fail2ban and confirm with 'y'.
• ✅ After installation, verify the service status with sudo systemctl status fail2ban. If inactive, enable it using sudo systemctl enable --now fail2ban.

Fail2ban Configuration Files

• 📌 Configuration files for Fail2ban are located in the /etc/fail2ban/ directory.
• ⚠️ It is crucial not to edit the default configuration files directly.
• 🛠️ Instead, create a new configuration file, such as jail.local, to customize settings safely.

Configuring SSH Protection (jail.local)

• 🔑 An example SSH jail configuration includes enabled = true, port = 22, and filter = sshd.
• 🔒 The logpath specifies the log file to monitor, typically /var/log/auth.log.
• 📈 maxretry sets the maximum failed attempts before an IP is banned (e.g., 5).
• ⏳ bantime defines the duration of the ban in seconds (e.g., 600 seconds for 1 hour).
• ⏱️ findtime is the time window in seconds during which failures are counted (e.g., 600 seconds for 1 hour).

Managing Fail2ban with fail2ban-client

• 🔄 After configuration changes, restart Fail2ban with sudo systemctl restart fail2ban.
• 🔍 Use fail2ban-client status to view active jails, such as sshd.
• 📊 To check the status of a specific jail, use fail2ban-client status sshd.
• 🚫 To unban an IP address, use sudo fail2ban-client set sshd unbanip <IP_ADDRESS>.
• ✋ You can also manually ban an IP address using sudo fail2ban-client set sshd banip <IP_ADDRESS>.