fail2ban is a magical little program that does precisely what it says on the tin.

Fail to authenticate properly enough times, and you'll be banned. Banned from what? Well, just about anything. fail2ban is super flexible; It reads log files and executes commands when certain conditions are met, such as blocking a source IP address using iptables when there are 3 or more failed SSH attempts. Where Fail2Ban really shines is an area I have come to appreciate more and I more as I so gracefully age; Sane Defaults. Simply using the default configuration and enabling the service will do a pretty darn good job of protecting SSH, Apache, Nginx, and dozens of other services from brute-force attacks.

First we will update our package cache:
apt update
Now let's install fail2ban
apt install fail2ban -y
Copy over the default config, so we can edit it.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
If on Debian, pop into the config file.
nano /etc/fail2ban/jail.local
Under Jails, find the section marked
[sshd]
Under that section, change the backend to systemd:
(If you don't, fail2ban will probably crash.)
backend = systemd
Enable the Fail2ban service to run at startup.
systemctl enable fail2ban
Start the Fail2Ban service (or restart if it's already running.)
systemctl restart fail2ban

Adding Fail2ban to Proxmox?

Add this to /etc/fail2ban/jail.local
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h

Now create the file /etc/fail2ban/filter.d/proxmox.conf with the following content:
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service

Now restart fail2ban
systemctl restart fail2ban

Adding fail2ban to Proxmox Backup Server??

Add this to /etc/fail2ban/jail.local
[proxmox-backup-server]
enabled = true
port = https,http,8007
filter = proxmox-backup-server
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h

Now create the file /etc/fail2ban/filter.d/proxmox-backup-server.conf with the following content:
[Definition]
failregex = authentication failure; rhost=\[<HOST>\]:\d+ user=.* msg=.*
ignoreregex =

Now restart fail2ban
systemctl restart fail2ban

That's it; fail2ban is working. This is very, very unlikely to cause any issues, and will add a powerful layer of protection to your server.

UFW (Uncomplicated Firewall) is another tool that does precisely what it says on the tin.

On Proxmox and VMs, I used Proxmox's excellent built-in firewall.
For everything else, I use UFW.

You can install ufw the usual way on Debian:
apt update && apt install ufw -y
Now let's disable the firewall and lose the default config while we set it up ourselves:
ufw disable && ufw reset
This will set the sane default used by most firewalls (All outbound allowed, all unsolicited inbound denied):
ufw default deny incoming && ufw default allow outgoing

Now we're in a good place. Where the fun comes in with ufw is how simple the commands are. For example, here's how to allow inbound SSH:
ufw allow ssh
Wait, you have a web server too?
ufw allow https
We can also get really, really specific:
ufw allow in on eth0 from 10.0.0.0/24 port 8273 proto tcp to 10.0.1.100 port 22 comment 'This allows TCP connections to port 22 from the 10.0.0.0/24 range with a source port of 8273'

I won't get into depth on specific rules, as that's been done a million times over. You know what ports you need open, and to whom.

When you're done, enable UFW and the service for good measure:
systemctl enable ufw
systemctl restart ufw
ufw enable

There are a few more things we do that you'll likely want to do to secure your servers, and I'll cover them in future posts.

• At-rest encryption (ZFS or LUKS)
• SSH No Root Login + Certificate only
• Server monitoring (Zabbix, or Uptime-Kuma)
• SIEM (Wazuh?)
• UPS Monitoring (NUT-CGI)
• Temperature Monitoring (Python on a Raspberry Pi)
• Encrypted on-site backups (PBS)
• Encrypted immutable offsite backups (PBS + Rsnapshot + Wasabi)