Vorschau

/tutorial-firewall-fail2ban.md

# Tutorial — Firewall + Fail2ban Hardening (Raspberry Pi Security Setup)

Environment used for this guide:

- Hardware: Raspberry Pi 5
- Operating System: Ubuntu Server 25.10 (64-bit)
- Network: Local home network setup
- Services installed: UFW, Fail2ban 

## 1. Install UFW firewall

```bash
sudo apt install ufw -y
```

Set default policies:

```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
```

Allow required ports:

```bash
sudo ufw allow 22   // SSH 
sudo ufw allow 80	// HTTP 
sudo ufw allow 443 	// HTTPS
sudo ufw allow 1883	// MQTT 
```
OPTIONAL 
sudo ufw allow from 192.168.178.0/24 to any port 1883 // Only Homenetwork 

Enable firewall:

```bash
sudo ufw enable
sudo ufw status
```

---

## 2. Install Fail2ban

```bash
sudo apt install fail2ban -y
```

Enable service:

```bash
sudo systemctl enable fail2ban
```

---

## 3. Configure Fail2ban

```bash
sudo nano /etc/fail2ban/jail.local
```

Insert:

``` bash 
[sshd]
enabled = true
# Blocks IPs after repeated failed SSH login attempts

[apache-auth]
enabled = true
# Blocks IPs with repeated failed HTTP authentication attempts (e.g. Nextcloud login brute-force)

[apache-badbots]
enabled = true
# Blocks known malicious web crawlers scanning the server

[apache-noscript]
enabled = true
# Blocks requests trying to access suspicious scripts like phpmyadmin, wp-admin, etc.
```

Restart Fail2ban:

```bash
sudo systemctl restart fail2ban
```

Check status:

```bash
sudo fail2ban-client Status
sudo ufw status numbered 	//Check allowed Ports 
```