How to Setup Fail2ban on the Raspberry Pi

Raspberry Pi Fail2Ban Tutorial

In this Raspberry Pi Fail2ban tutorial, we will be showing you how to set up and configure the Fail2ban software on your Raspberry Pi.

Fail2ban is a crucial piece of software when it comes to improving the security of your Raspberry Pi. It is especially useful if you have your Raspberry Pi publicly accessible via the internet as it is an active and learning form of defense.

For those who do not know what Fail2ban is, it is a piece of software that attempts to block malicious connections to your device, which in our case is our Raspberry Pi. It is important if you have SSH or even a web server that is publicly accessible.

Fail2ban works by continually scanning your log files and looking for signs of potential attacks. These include attacks such as too many password failures as well as scanning for exploits and much more. Once it finds unusual activity it then automatically updates your firewall to ban that IP address.

Equipment

You will need the following equipment for this tutorial on setting up Fail2ban on your Raspberry Pi.

Recommended

Optional

Installing and configuring Fail2ban

1. Before we get started with installing Fail2ban to our Raspberry Pi, we should first ensure that it is entirely up to date.

We can do this very simply by running the following commands within the terminal on the Raspberry Pi.

sudo apt update
sudo apt upgrade

2. With the Raspberry Pi operating system now up to date, let’s go ahead and install the Fail2ban software by running the following command on the Raspberry Pi.

sudo apt install fail2ban

3. During the installation process, fail2ban will generate a file called “jail.conf“.

We need to make a copy of this file and name it “jail.local“, fail2ban will automatically detect this file and load in its configuration for it.

Let’s copy the file by running the following command on the terminal on the Raspberry Pi.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

4. Now let’s go ahead and open up the file that we just copied and take a look at the default configuration that Fail2ban loads in with.

Open up the file using the nano editor by running the following command on your Raspberry Pi.

sudo nano /etc/fail2ban/jail.local

5. Within this file use the CTRL + W key combination to search for “[sshd]“, it should look like the text that we have displayed below.

[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

6. Now to enable this section and to set the SSHD filter we need to add the two lines below the “[sshd]” text that we found in the previous step.

enabled = true
filter = sshd

The first line that we are adding to this configuration file enables Fail2ban to process those rules for the specified port.

The second line tells Fail2ban that it needs to use the “/etc/fail2ban/filter.d/sshd.conf” file to filter connections to the SSH port.

7. In addition to being able to enable it and setting the filter, we can also change what Fail2ban does when someone triggers the filters.

To set the ban action you can utilize the following line. In our example that we have below, we will be using the “iptables-multiport” ban action.

This action will ban the user that triggered the filter and restrict them from accessing any ports on the device.

banaction = iptables-multiport

You can find additional actions by checking out the “/etc/fail2ban/action.d/” folder, typically though you will want to block an attacker on all ports.

8. In addition to being able to set the ban action, you can also set the number of attempts a user gets before they are banned as well as how long that they should be banned for.

To do this we can utilize the following two values, we have set some example values that we will explain below.

bantime = -1
maxretry = 3

The first line above (“bantime = -1“), sets how long you want the user to be banned for. This value needs to be in seconds, for example, 1800 seconds will ban the user for 30 minutes.

If you want to ban the user indefinitely, you can set this value to -1 as we have in our example above.

The second line (“maxretry = 3“), defines how many tries the user gets before the ban action is run. In our example, we set this to 3 meaning the user will have three chances before they are banned from accessing the device on all ports.

9. Once you have finished configuring the [sshd] section with a ban action, ban time, max retries as well as enabling it and setting the filter you should end up with something like we have below.

[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = -1
maxretry = 3
logpath = %(sshd_log)s
backend = %(sshd_backend)s

10. When you are happy with your changes, go ahead and save the file by pressing CTRL + X then Y and finally ENTER.

11. You should now have the Raspberry Pi Fail2ban up and running successfully. To get the Fail2ban software to load up your changes on your Raspberry Pi you need to go ahead and enter the following command.

sudo service fail2ban restart
Fail2Ban on Raspbian

Apache & Nginx Web Servers

You can protect your Apache or Nginx web server using Fail2Ban as well. The setup is very similar to what we did for SSH. I will quickly go through an example for Apache below.

1.  If you want to enable protection for Apache against bad bots, then you will need to open the jail local file.

sudo nano /etc/fail2ban/jail.local

2. Locate the section called [apache-badbots], you can use CTRL + W to find it.

3. Under this header, add the following two lines.

enabled = true
filter = apache-badbots

The filter name will typically be the same name as the module unless you’re using a custom configuration file. So, [apache-badbots] will have a filter name of apache-badbots.

You can find all the filter configuration files in the following directory, use ls to list all the files.

ls /etc/fail2ban/filter.d/

4. Once you’re done editing the “jail.local” file, save the file by pressing CTRL + X then Y and finally ENTER.

5. Lastly, remember to restart Fail2Ban on the Raspberry Pi whenever you make a change.

sudo service fail2ban restart

I hope from this Raspberry Pi Fail2Ban tutorial that you have learned how to setup and configure the software. I also hope that it has shown the benefits of utilizing a piece of software such as Fail2Ban.

If you have any feedback on this tutorial on setting up and configuring the Fail2Ban on your Raspberry Pi, then feel free to post a reply below.

15 Comments

  1. Avatar for Ro
    Ro on

    How do I fix etx/fail2ban/jail.local that is unwritable?

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Ro,

      I am unable to replicate the issue of not being able to write to the jail.local file after copying it.

      Can you ensure that you are using “sudo” in front of the call to nano.

      Cheers,
      Emmet

  2. Avatar for Davide
    Davide on

    Whenever I make an erroneous login the ip address is logged twice. Having this problem I have to set maxretry to twice the number I want. Is anyone else experiencing this problem?
    Failing ip address I’m monitoring through tail -f /var/log/fail2ban.log

  3. Avatar for Michael
    Michael on

    fail2ban on my pi4 does not ban ssh. However in the /var/log/fail2ban.log there are messages like fail2ban.actions : WARNING [sshd] xx.xx.xx.xx already banned (xx is hidden because of privacy). So it will detected multiple wrong passwords attempts are made, but i can still try unlimited amounts off wrong passwords. And yes i have configured bantime and so on correctly. Anyone?

    1. Avatar for Michael
      Michael on

      Addentum: In my iptables -L the ip address is added to the rejected chain list:
      Chain f2b-sshd (1 references)
      target prot opt source destination
      REJECT all — xx-xx-xx-xx.ftth.glasoperator.nl anywhere reject-with icmp-port-unreachable
      Still no blocking occurs

    2. Avatar for Michael
      Michael on

      Solved! Because I changed the default port of the sshd to listen i had to specify that port also in the “jail.local“. So instead of port = ssh i have to specify port = xx, where xx is my new port number!

    3. Avatar for bigtor
      bigtor on

      Thank you Michael, that was also my case!!

  4. Avatar for Michel
    Michel on

    First of all, Thank you!! Fail2Ban is awsome, but is a bit much if you’ve never done this before (like me).

    I’ve installed Fail2Ban (03-2020) on a fresh installation of raspberian (after i’ve boxed up my previous setup with Fail2Ban to a point I couldn’t connect with it). But to get to my point / question.

    I’ve been reading the config file and found a lot of the configuration mentioned above in the config file. Except for the part “enabled = true” this was set to false in the default config.

    This time I’m planning to everything right, and keep it that way. So, Am I doing the config correct if I’m leaving the default, except for the “enabled = true” part in tact / scattered through out the config file?

    Thanks in advance!!

    Greets,
    Michel

  5. Avatar for Erik
    Erik on

    In section 5 I had to disable “backend = %(sshd_backend)s” to make it work. Otherwhise i would get the error: “Failed during configuration: bad interpolation variable reference ‘%(sshd_backend)'”

  6. Avatar for Richard Paige
    Richard Paige on

    Hi,

    In the section 9 dialogue box, you are missing: banaction = iptables-multiport

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Richard,

      Thank you very much for pointing out that mistake. We have now corrected that.

      Cheers,
      Emmet

  7. Avatar for Robert Paugh
    Robert Paugh on

    Will this work with a Octoprint installed on the sd card?

    1. Avatar for Emmet
      Emmet on
      Editor

      Hi Robert,

      This should work without any issues, it shouldn’t conflict with the OctoPrint software.

      Cheers,
      Emmet

  8. Avatar for nuccio
    nuccio on

    Please add ‘sudo apt-get update’ after the ‘sudo apt-get upgrade’

    Without this, I was a getting ‘E: unable to locate package’ and I could not install fail2ban.

    Thanks for this guide!

    1. Avatar for Gus
      Gus on
      Editor

      Thanks for your feedback, we have added these two commands.

Leave a Reply

Your email address will not be published. Required fields are marked *