How to Install Fail2Ban to Secure SSH Server on Arch Linux

Fail2ban is a powerful, free, open-source firewall service that is used to stop brute-force login attempts from the remote system. It is simple and lightweight, providing different filters to monitor Apache, SSH, and other programs for suspicious activity. It runs in the background and monitors the logs of different services and blocks clients that repeatedly fail authentication checks. Fail2Ban protects your Linux server against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.

In this post, we will show you how to install the Fail2Ban firewall on Arch Linux.

Step 1 – Configure Repository

By default, the default repository is outdated in Arch Linux, so you will need to modify the default mirror list. You can do it by editing the mirrorlist configuration file:

nano /etc/pacman.d/mirrorlist

Remove all lines and add the following lines:

## Score: 0.7, United States
Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.8, United States
Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.9, United Kingdom
Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
## Score: 1.5, United Kingdom
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch
## Score: 6.6, United States
Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
## Score: 6.7, United States
Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
## Score: 6.8, United States
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
## Score: 7.1, India
Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
## Score: 10.1, United States
Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch

Save and close the file, then update all the package indexes with the following command:

pacman -Syu

Step 2 – Install Fail2Ban Firewall

By default, the Fail2Ban package is available in the Arch Linux default repository. You can install it using the following command.

pacman -S fail2ban

After installing the Fail2Ban package, start the Fail2Ban service and enable it to start at system reboot.

systemctl start fail2ban
systemctl enable fail2ban

Step 3 – Secure SSH with Fail2Ban

SSH is one of the most popular protocols used to manage the remote server via the command line, so the SSH service is always vulnerable to brute-force login attacks. In this section, we will show you how to protect SSH with Fail2Ban. Fail2Ban default configuration file located at /etc/fail2ban/jail.conf. It is always recommended to create a new Fail2Ban configuration file.

nano /etc/fail2ban/jail.local

Add the following lines:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 300
ignoreip = 127.0.0.1

Save and close the file, then restart the SSH service to apply the changes.

systemctl restart fail2ban

Step 4 – Verify Fail2Ban

At this point, Fail2Ban is installed and configured to secure the SSH server against brute-force login attacks. You can now monitor your Fail2Ban using the fail2ban-client tool.

To check the status of the SSH jail, run the following command.

fail2ban-client status sshd

You should see the list of all IPs blocked by Fail2Ban in the following output:

Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	8
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	49.34.165.39

To check the status of all jails, run the following command.

fail2ban-client status

You will get the following output.

Status
|- Number of jail:	1
`- Jail list:	sshd

You can also check the Fail2Ban log for more information:

tail -f /var/log/fail2ban.log

You should see the following output.

2023-01-31 05:03:53,142 fail2ban.filter         [54073]: INFO    [sshd] Found 49.34.165.39 - 2023-01-31 05:03:52
2023-01-31 05:04:03,144 fail2ban.filter         [54073]: INFO    [sshd] Found 49.34.165.39 - 2023-01-31 05:04:02
2023-01-31 05:04:03,339 fail2ban.actions        [54073]: NOTICE  [sshd] 49.34.165.39 already banned
2023-01-31 05:04:07,686 fail2ban.filter         [54073]: INFO    [sshd] Found 49.34.165.39 - 2023-01-31 05:04:07
2023-01-31 05:04:11,435 fail2ban.filter         [54073]: INFO    [sshd] Found 49.34.165.39 - 2023-01-31 05:04:11

Step 5 – Working with Fail2Ban Command Line

Fail2Ban also allows you to block and unblock remote IPs manually via the command line.

To unblock a blocked IP, run the following command:

fail2ban-client set sshd unbanip remote-ip

If you want to block an untrusted IP, run the following command:

fail2ban-client set sshd banip remote-ip

Conclusion

Congratulations! You have successfully installed and configured the Fail2Ban firewall on Arch Linux. Your server is now protected from brute-force login attempts. You can now install the Fail2Ban on dedicated server hosting from Atlantic.Net!