Discopter Pi Guide

Chapter 4: Protecting the Pi with Fail2ban

Fail2Ban is a vital tool for enhancing the security of your Raspberry Pi, particularly if it is accessible to the internet. It functions as an active defense mechanism that learns from and blocks malicious connections to your device. If you have SSH or a publicly accessible web server, Fail2ban is absolutely essential. The software continuously monitors your log files for signs of potential attacks, such as repeated authentication failures and exploits. When it detects suspicious activity, it automatically updates your firewall to block the corresponding IP address.

To spoil future chapters, we're eventually going to be setting up the Pi as a VPN server. Perhaps you'll also be interested in hosting other services, like a password manager or web server. This will involve forwarding ports and exposing the Raspberry Pi to the internet. That means exposing to malicious actors. It's not a matter of if. It will be attacked by typically Russian and Chinese bots that scan the entire internet looking for open ports on exposed devices. Yes, we've already made things very secure to the point where a Russian bot can knock but it can't come in, but why not make it so that they can't knock more than a couple times before they can't even get past the driveway? It works by continually scanning your logs and updating your firewall rules to block offending IP addresses. We'll go further into the Pi's firewall in the next chapter.

After we install Fail2ban, it's going to create a file called jail.conf. If you open up the file, it will say right at the top not to edit it. It will instead direct you to copy the file with the name jail.local and make all edits in that. Fail2ban will automatically detect jail.local and use it to load its configuration, with jail.conf as basically the backup should you ever need to reset your policies.

Once we create the jail.local file, we're going to open it, set Fail2ban to monitor SSH connection attempts, and then decide on how to deal with unwanted visitors. Fail2ban works by monitoring your system logs and creating firewall rules to ban offending IP addresses. Before we can enable Fail2ban, we first have to ensure that our Raspberry Pi is properly logging SSH attempts and has access to the built-in firewall (firewalls will be covered more in Chapter 5).

Step 1: Enable Logging and Firewall Access

  1. Install the iptables client. This is not the actual ip-tables firewall, which is already installed on our system, but rather a set of commands that Fail2ban can use to create rules.
    sudo apt install iptables
  2. Install a logging service. We will be using rsyslog, which will create log entries that Fail2ban can monitor for failed SSH attempts.
    sudo apt install rsyslog
  3. Once installed, we enable rsyslog to act as a background service, so we never need to tell our Pi to start logging. It will just do that automatically once started.
    sudo systemctl enable rsyslog
  4. Now we actually start logging.
    sudo systemctl start rsyslog
  5. You can verify that it is successfully running by checking its status.
    sudo systemctl status rsyslog

Step 2: Installing and Configuring Fail2ban:

  1. Run the following command:
    sudo apt install fail2ban
  2. Copy the file by running this command:
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  3. Open the copied file for editing:
    sudo nano /etc/fail2ban/jail.local
  4. Look for the section marked [sshd]. It should look like the below:
    [sshd]
    port = ssh
    logpath = %(sshd_log)s
    backend = %(sshd_backend)s
  5. Below the last line in this section, add the following lines:
    • enabled = true
      • This switches on Fail2ban for SSH connections
    • filter = sshd
      • This tells Fail2ban that it needs to filter connections to the SSH port using the /etc/fail2ban/filter.d/sshd.conf file.
    • banaction = iptables-multiport
      • This will ban the offending IP address on all ports of your raspberry Pi. If they try to break into port 22, they won't just get banned from further attempts at 22, they'll get banned from every port on your Pi.
    • bantime = -1
      • The value refers to the number of seconds that the ban will be in effect. bantime = 3600 would ban an IP address for 3,600 seconds, or one hour. Setting it to -1 means it will be banished forever.
    • maxretry = 2
      • This number refers to how many chances a user has. You can pick a higher number if you'd like, but probably nothing more than 5. Counting the initial attempt, this gives you three tries to log in, in case you forgot to load the private key onto a device or fat fingered the passphrase.
  6. It should look something like this:
    [sshd]
    port = ssh
    logpath = %(sshd_log)s
    backend = %(sshd_backend)s
    enabled = true
    filter = sshd
    banaction = iptables-multiport
    bantime = -1
    maxretry = 2
  7. Save the file with ctrl+x
  8. Restart the Fail2ban service by running the following command:
    sudo service fail2ban restart
  9. Check its status to make sure it is up and running.
    sudo systemctl status fail2ban

With the service restarted, Fail2ban is now enabled and monitoring connection attempts. Anyone trying too hard to SSH into your Pi will quickly find themselves locked out unless they get a new IP address. Next, we'll go over reviewing the list of banned IPs and unbanning one, if necessary.

Reviewing Fail2ban Logs

The logs are located in /var/log/fail2ban.log. You can review them with cat, tail, less, or nano.

Unbanning an IP

This is nice and simple with newer versions of Fail2ban. If you've accidentally locked one of your devices out, just enter the command:

fail2ban-client unban <IP address>