1. Update the system (important on Pi)
sudo apt update && sudo apt upgrade -y
Optional but recommended:
sudo reboot
2. Install Fail2Ban (very lightweight)
sudo apt install fail2ban -y
Memory usage on Pi: ~20–30 MB RAM idle ✅
3. Verify Fail2Ban is running
sudo systemctl status fail2ban
You should see:
Active: active (running)
If not:
sudo systemctl enable --now fail2ban
4. Create your local config (DO NOT edit defaults)
Fail2Ban updates will overwrite defaults — always use .local.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Or lighter (recommended for Pi):
sudo nano /etc/fail2ban/jail.local
Paste this minimal + safe config:
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
backend = systemd
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
💡 backend = systemd is faster and more reliable on modern Pi OS.
5. Restart Fail2Ban
sudo systemctl restart fail2ban
6. Confirm SSH jail is active
sudo fail2ban-client status
Expected:
Jail list: sshd
Check banned IPs:
sudo fail2ban-client status sshd
7. Reduce resource usage (IMPORTANT for 1 GB Pi)
Edit:
sudo nano /etc/fail2ban/fail2ban.conf
Set:
loglevel = INFO
logtarget = /var/log/fail2ban.log
Optional: disable polling (systemd handles logs efficiently).
8. Enable log rotation (prevents SD wear)
Check:
sudo nano /etc/logrotate.d/fail2ban
Recommended content:
/var/log/fail2ban.log {
weekly
rotate 4
compress
missingok
notifempty
}
9. Test Fail2Ban (safe test)
From another machine:
ssh wronguser@pi-ip
Fail 5 times → IP gets banned.
Unban yourself:
sudo fail2ban-client set sshd unbanip YOUR_IP
10. Optional hardening (strongly recommended)
Disable SSH passwords
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
Summary (Pi-optimized)
✔ Low RAM usage
✔ SD-card friendly logging
✔ SSH protected
✔ systemd backend
✔ Safe upgrade-proof config
Leave a Reply