Debian Linux | Install and Configure Fail2Ban and enabled mail notifications

To successfully secure your linux server you have to prepare different programmes and tools for various tasks. Among other tool Fail2Ban is doing a very good job protecting your server against brute force attacks from outside. It scans your logfiles using a more or less regex string and detects suspicious access trials. The following how-to / tutorial was written using Debian Jessie (Debian 8).

Install and Run Fail2Ban

Nothing easier than that. Just execute the following command as root or using sudo: apt-get install fail2ban

After the package was installed it is available and ready to configure. All (config) files can be found within: /etc/fail2ban/  Additionally it is available as service and started automatically with the server.

Configure Fail2Ban

You can find the config files with the following folder: /etc/fail2ban/
It is recommended by fail2ban to keep the jail.conf as it is and use the jail.local file to override the defaults with your own settings. If this file does not exist you have to create it using touch /etc/fail2ban/jail.local. Now we can our system specific changes to the fail2ban configuration.
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local>

Fail2Ban has some reasonable settings for the most basic security. But depending on your system you have to apply some changes to it. To override the default setting correctly you have to separate your custom changes using the same sectioning like fail2ban is using in the original configuration file.

The [DEFAULT] section contains the most basic settings applied to all other sections by default. You can override this settings in each section. To learn more about each option you can visit the default config file and read the comments.

Overriding default settings

To apply your own settings you have to create a section in your jail.local file and add the option you want to override. For example we want to adjust some changes to our ssh daemon. We changes the default port and want to change the ban-time and the maximum number of retries. To do so we have to add the following lines to the end of our jail.local file:
enabled = true
port = 33333
bantime = 3600
maxretry = 2

To activate your changes you have to restart your fail2ban instance by executing /etc/init.d/fail2ban restart  or service fail2ban restart as root or by using sudo.

Enable mail notifications to get information about bans via email

By default fail2ban is configured to not to send any mails to you.  To enable e-mail notifications you have to set the correct action. To our advantage fail2ban already pre-configured a fitting action for us: action = %(action_mwl)s. All we have to do is to activate it using our jail.local file.

You can enable the fail2ban mail delivery for each sections explicitly (like the [ssh] section) or for all monitored systems by default using the [DEFAULT] section. The following settings are responsible for the mail configuration and should to match your requirements:
#email settings for receipient and sender.
destemail = root@localhost
sendername = Fail2Ban
sender = fail2ban@localhost
#Mail delivery service.
mta = mail
# The neccessary action to send mails.
action = %(action_mwl)s

{{ message }}

{{ 'Comments are closed.' | trans }}