Setting Up UFW and Fail2ban on Debian
TL;DR
To quickly secure your Debian 13 server, follow these steps to set up UFW (Uncomplicated Firewall) and Fail2ban.
Install UFW and Fail2ban: Ensure both packages are installed on your system.
sudo apt update && sudo apt install ufw fail2ban -y # Install UFW and Fail2banConfigure UFW: Start by setting default policies to deny incoming connections and allow outgoing ones.
sudo ufw default deny incoming # Deny all incoming connections sudo ufw default allow outgoing # Allow all outgoing connectionsNext, allow SSH connections to prevent locking yourself out.
sudo ufw allow OpenSSH # Allow SSH connectionsFinally, enable UFW.
sudo ufw enable # Enable the firewallCaution: Always ensure SSH is allowed before enabling UFW to avoid losing access.
Configure Fail2ban: Create a local configuration file to customize Fail2ban settings.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Copy the default configEdit the local configuration to set the ban time and find time.
sudo nano /etc/fail2ban/jail.local # Open the config file for editingSet the following parameters:
bantime = 1h # Duration of the ban findtime = 10m # Time frame to check for repeated failures maxretry = 5 # Number of allowed failures before banningRestart Fail2ban to apply changes.
sudo systemctl restart fail2ban # Restart Fail2ban serviceCheck Status: Verify that UFW and Fail2ban are running correctly.
sudo ufw status verbose # Check UFW status sudo systemctl status fail2ban # Check Fail2ban status
By following these steps, you will significantly enhance the security of your Debian 13 server against unauthorized access and brute-force attacks.
Introduction to UFW and Fail2ban
UFW (Uncomplicated Firewall) is a user-friendly interface for managing iptables firewall rules on Debian 13. It simplifies the process of configuring a firewall, making it accessible even for those who may not be familiar with complex command-line options. UFW is designed to provide a straightforward way to create and manage firewall rules, allowing you to easily allow or deny traffic based on your security needs.
To install UFW, use the following command:
sudo apt update && sudo apt install ufw # Install UFW package
Once installed, UFW is disabled by default. It is crucial to set up your rules before enabling it to avoid locking yourself out of the server. A common safe default is to deny all incoming connections while allowing all outgoing connections. You can set this up with:
sudo ufw default deny incoming # Deny all incoming traffic
sudo ufw default allow outgoing # Allow all outgoing traffic
Fail2ban is a security tool that helps protect your server from brute-force attacks by monitoring log files and banning IP addresses that show malicious signs. It works by creating temporary firewall rules to block offending IPs, which can significantly enhance your server’s security posture.
To install Fail2ban, run:
sudo apt install fail2ban # Install Fail2ban package
After installation, it is advisable to configure Fail2ban to suit your needs. The default configuration is generally sufficient for basic protection, but you can customize it by editing the configuration files located in /etc/fail2ban/. Always remember to restart the Fail2ban service after making changes:
sudo systemctl restart fail2ban # Restart Fail2ban to apply changes
By combining UFW and Fail2ban, you can create a robust security layer for your Debian 13 server, effectively managing both firewall rules and protecting against unauthorized access attempts.
Installing UFW
To install UFW (Uncomplicated Firewall) on your Debian 13 server, follow these steps:
First, update your package list to ensure you have the latest information on available packages:
sudo apt update # Update package list
Next, install UFW using the following command:
sudo apt install ufw -y # Install UFW
Once the installation is complete, you can check the status of UFW to see if it is active:
sudo ufw status verbose # Check UFW status
By default, UFW is disabled after installation. Before enabling it, it’s crucial to allow SSH connections to prevent locking yourself out of the server. Run the following command to allow SSH:
sudo ufw allow OpenSSH # Allow SSH connections
If you are using a different port for SSH, replace OpenSSH with the specific port number, for example:
sudo ufw allow 2222/tcp # Allow SSH on custom port 2222
After configuring the necessary rules, you can enable UFW:
sudo ufw enable # Enable UFW
You will receive a warning that enabling the firewall will disrupt existing connections. Ensure that you have allowed SSH before proceeding.
To verify that UFW is active and your rules are correctly set, run:
sudo ufw status # Check active rules
For added security, consider setting the default policies. By default, UFW allows all outgoing connections and denies all incoming connections. You can set these defaults with:
sudo ufw default deny incoming # Deny all incoming connections
sudo ufw default allow outgoing # Allow all outgoing connections
These settings provide a solid foundation for your firewall configuration.
Configuring UFW Rules
To configure UFW (Uncomplicated Firewall) rules on your Debian 13 server, follow these steps to ensure a secure and functional firewall setup.
First, enable UFW if you haven’t already:
sudo ufw enable # Enable UFW
Next, set the default policies. It is recommended to deny all incoming connections and allow all outgoing connections by default:
sudo ufw default deny incoming # Deny all incoming connections
sudo ufw default allow outgoing # Allow all outgoing connections
Now, you can add specific rules to allow necessary services. For example, if you are running an SSH server, you should allow SSH connections:
sudo ufw allow ssh # Allow SSH (port 22)
If you are using a different port for SSH, specify it explicitly:
sudo ufw allow 2222/tcp # Allow SSH on port 2222
For web servers, you can allow HTTP and HTTPS traffic:
sudo ufw allow http # Allow HTTP (port 80)
sudo ufw allow https # Allow HTTPS (port 443)
After adding your rules, check the status of UFW to ensure everything is configured correctly:
sudo ufw status verbose # Display UFW status and rules
Caution: Always ensure that you do not lock yourself out of your server. If you are connected via SSH, make sure to allow the SSH port before enabling UFW.
To delete a rule, use the following command format:
sudo ufw delete allow ssh # Remove the SSH rule
Once you have configured your rules, you can reload UFW to apply any changes:
sudo ufw reload # Reload UFW to apply changes
Regularly review your UFW rules to ensure they meet your current security needs.
Installing Fail2ban
To install Fail2ban on your Debian 13 server, follow these steps:
First, ensure your package list is up to date:
sudo apt update # Update package list
Next, install Fail2ban using the following command:
sudo apt install fail2ban -y # Install Fail2ban
Once the installation is complete, Fail2ban will not start automatically. To enable and start the service, run:
sudo systemctl enable fail2ban # Enable Fail2ban to start on boot
sudo systemctl start fail2ban # Start Fail2ban service
Fail2ban comes with a default configuration file located at /etc/fail2ban/jail.conf. It is recommended to create a local copy of this file for customization to avoid overwriting changes during updates:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Create local configuration
Edit the local configuration file to set your desired parameters:
sudo nano /etc/fail2ban/jail.local # Open the local configuration file
In this file, you can adjust settings such as bantime, findtime, and maxretry. For example, a safe default configuration might look like this:
[DEFAULT]
bantime = 10m # Ban for 10 minutes
findtime = 10m # Consider failures within 10 minutes
maxretry = 5 # Allow 5 failed attempts before banning
After making your changes, save the file and exit the editor. To apply the new configuration, restart the Fail2ban service:
sudo systemctl restart fail2ban # Restart Fail2ban to apply changes
To check the status of Fail2ban and ensure it is running correctly, use:
sudo systemctl status fail2ban # Check Fail2ban status
This setup will help protect your server from brute-force attacks while maintaining a balance between security and accessibility.
Configuring Fail2ban
To configure Fail2ban on your Debian 13 server, follow these steps to enhance your security against brute-force attacks.
First, install Fail2ban if you haven’t already:
sudo apt update && sudo apt install fail2ban -y # Install Fail2ban
Once installed, you need to create a local configuration file to override the default settings without modifying the original configuration. This is done by copying the default configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Create local config
Open the local configuration file in your preferred text editor:
sudo nano /etc/fail2ban/jail.local # Edit the local configuration
In this file, you can configure the jails for the services you want to protect. For example, to enable protection for SSH, locate the [sshd] section and ensure it is set as follows:
[sshd]
enabled = true # Enable SSH protection
port = ssh # Use the default SSH port
filter = sshd # Use the SSH filter
logpath = /var/log/auth.log # Path to the SSH log file
maxretry = 5 # Number of allowed retries before banning
bantime = 3600 # Ban time in seconds (1 hour)
Adjust maxretry and bantime according to your security needs, but be cautious not to set them too low, as legitimate users may get locked out.
After making your changes, save and exit the editor. To apply the new configuration, restart the Fail2ban service:
sudo systemctl restart fail2ban # Restart Fail2ban to apply changes
To check the status of Fail2ban and see which jails are active, use:
sudo fail2ban-client status # Check Fail2ban status
This will help you monitor the effectiveness of your configuration and ensure that your server remains secure against unauthorized access attempts.
Verification
To ensure that UFW and Fail2ban are functioning correctly, you can perform a series of verification steps.
First, check the status of UFW to confirm that it is active and the correct rules are in place. Run the following command:
sudo ufw status verbose # Displays the status and rules of UFW
You should see output indicating that UFW is active and listing the allowed services and ports. If you notice any unexpected rules, you can modify them accordingly.
Next, verify that Fail2ban is running and monitoring the appropriate log files. Use the command:
sudo systemctl status fail2ban # Checks the status of the Fail2ban service
The output should indicate that the service is active (running). If it is not, you can start it with:
sudo systemctl start fail2ban # Starts the Fail2ban service
To check the status of specific jails (the configurations for monitoring services), use:
sudo fail2ban-client status # Lists all jails and their status
You can inspect the details of a specific jail, for example, the SSH jail:
sudo fail2ban-client status sshd # Displays the status of the SSH jail
This will show you the number of currently banned IPs and the list of banned IPs. If you see any IPs that should not be banned, you can unban them using:
sudo fail2ban-client set sshd unbanip <IP_ADDRESS> # Replace <IP_ADDRESS> with the actual IP
Finally, to test the effectiveness of Fail2ban, you can simulate a failed login attempt. However, be cautious with this approach to avoid locking yourself out. Always ensure you have a backup access method, such as a console or another user account with sudo privileges.
Buy me a coffee ☕