Fail2Ban

Fail2ban is a program that parses logs and and block servers that try to abuse your system. While it doesn't replace a firewall, it's a good complement as it prevents people from trying thousands of password on your server.

Prerequisite
This guide will configure Fail2Ban to work with nftables.

Installation
Note: Debian Stretch (currently in testing) contain a much nicer version of fail2ban than Jessie (current stable). Configuration has been simplified a lot between the two releases and installing the version from stretch will save you from migration pain later. Make sure you configure stretch source before running the command bellow. Note2: On systems with both 64bits and 32bits architectures enabled, you might need the following command to avoid installing iptables

Configuration
After you change configuration, or add a new jail, don't forget to restart fail2ban

nftables
nftables support was added in release 0.9.4. If you have an older release, you can copy the 3  files from the official repository and add them to.

Create table
Create file Then add line  in.

Finally activate your rule in nftables

Set table in Fail2Ban
Create file

Defaults
Create file

Recidive
The recidive rule ban users for a longer period if they have been banned multiple time in a row.

Create file

Other rules
Rules specific to one program are documented on the program page. You can see the list on the fail2ban category page.