fail2ban

Install Fail2Ban

RHEL

sudo yum update && sudo yum install epel-release
sudo yum install fail2ban

Debian

sudo apt update && sudo apt upgrade -y
sudo apt install fail2ban

Config Files

There are two main configuration files in Fail2Ban: /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf

/etc/fail2ban/fail2ban.conf: This is the configuration file for the operational settings of the Fail2Ban daemon. Settings like loglevel, log file, socket and pid file is defined here.

/etc/fail2ban/jail.conf: This is where all the magic happens. This is the file where you can configure things like default ban time, number of reties before banning an IP, whitelisting IPs, mail sending information etc. Basically you control the behavior of Fail2Ban from this file.

Now before you go and change these files, Fail2Ban advise to make a copy with .local file for these conf files. It’s because the default conf files can be overwritten in updates and you’ll lose all your settings.

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

If I remove the comments, the default section looks like this:

[DEFAULT]
ignorecommand =
bantime = 10m
findtime = 10m
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(name)s[mode=%(mode)s]
destemail = root@localhost
sender = root@
mta = sendmail
protocol = tcp
chain =
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_abuseipdb = abuseipdb
action = %(action_)s
  • bantime: Set the length of the ban. Default is 10 minutes.

  • findtime: The window in which the action on an IP will be taken. Default is 10 minutes. Suppose a bad login was attempted by a certain IP at 10:30. If the same IP reaches the maximum number of retries before 10:40, it will be banned. Otherwise, the next failed attempt after 10:40 will be counted as first failed attempt.

  • maxretry: The number of failed retries before an action is taken

  • usedns: The “warn” setting attempts to use reverse-DNS to look up the hostname and ban it using hostname. Setting it to no will ban IPs, not hostname.

  • destemail: The email address to which the alerts will be sent (needs to be configured)

  • sender: The sender name in the notification email

  • mta: Mail Transfer Agent used for notification email

  • banaction: This parameter uses the /etc/fail2ban/action.d/iptables-multiport.conf file to set the action after maximum failed retries

  • protocol: The type of traffic that will be dropped after the ban

Enable Fail2Ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Once Fail2Ban is enabled, you can see the status and the active jails with fail2ban-client command:

fail2ban-client status

Output:

Status
|- Number of jail: 1
`- Jail list: sshd

Fail2Ban log is located at /var/log/fail2ban.log The log files are in the following format:

2019-03-25 07:09:08,004 fail2ban.filter [25630]: INFO [sshd] Found 139.59.69.76 – 2019-03-25 07:09:07
2019-03-25 07:09:36,756 fail2ban.filter [25630]: INFO [sshd] Found 159.89.205.213 – 2019-03-25 07:09:36
2019-03-25 07:09:36,757 fail2ban.filter [25630]: INFO [sshd] Found 159.89.205.213 – 2019-03-25 07:09:36
2019-03-25 07:09:36,774 fail2ban.actions [25630]: NOTICE [sshd] Ban 159.89.205.213
2019-03-25 07:09:36,956 fail2ban.filter [25630]: INFO [sshd] Found 182.70.253.202 – 2019-03-25 07:09:36
2019-03-25 07:09:36,957 fail2ban.filter [25630]: INFO [sshd] Found 182.70.253.202 – 2019-03-25 07:09:36
2019-03-25 07:09:36,981 fail2ban.actions [25630]: NOTICE [sshd] Ban 182.70.253.202
2019-03-25 07:09:37,247 fail2ban.filter [25630]: INFO [sshd] Found 112.64.214.90 – 2019-03-25 07:09:37
2019-03-25 07:09:37,248 fail2ban.filter [25630]: INFO [sshd] Found 112.64.214.90 – 2019-03-25 07:09:37
2019-03-25 07:09:37,589 fail2ban.actions [25630]: NOTICE [sshd] Ban 112.64.214.90

See banned IPs

fail2ban-client status <jail_name>

Unban IPs

fail2ban-client set <jail_name> unbanip <ip_address>

Whitelist IPs

fail2ban-client set <JAIL_NAME> addignoreip <IP_Address>

Remove IPs from Whitelist

fail2ban-client set <JAIL_NAME> delignoreip <IP_Address>

Last updated