Jeff McNeill > Articles > Software > Linux > Fail2ban

Fail2ban

by

Fail2ban is a security service that monitors the logs of common services (usually sshd and nginx). It uses a filter to identify an abnormality, then passes the IP address of the intruder to a firewall program (iptables or ufw, commonly).

Contents
Files and configuration
Example Fail2ban jail.local file
Starting and enabling Fail2ban
Reloading Fail2ban
Fail2ban-client
Other Fail2ban commands
Systemd
Log files and Systemd
Python3-systemd
Check if there would be a match vs. current logs:

Files and configuration

Install Fail2ban with sudo apt install fail2ban.

The context for this configuration includes the use of Nginx and UFW. If one uses Apache and/or IPtables or other services, the configuration will differ. Note also that one can simply use Nginx to do the banning, if that is the only service one wants to use (and not have a firewall).

  • Every .conf file can be overridden by a .local file, and it reads the .conf file first and then overrides with .local.
  • The main files are fail2ban.conf and jail.conf

After installing fail2ban the important file is a local /etc/fail2ban/jail.local (though some instructions instead put a custom.conf file in /etc/fail2ban/jail.d/ instead). Note that copying jail.conf to jail.local is a useless redundancy, as jail.local overrides anything in jail.conf.

Example Fail2ban jail.local file

[DEFAULT]
bantime = 1d
findtime = 1d
ignoreip = 127.0.0.1/8 192.168.0.0/16
maxretry = 1

banaction = ufw
banaction_allports = ufw

[nginx-bad-request]
enabled  = true
port     = http,https
filter   = nginx-bad-request
logpath  = /var/log/nginx/access.log

[nginx-botsearch]
enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /var/log/nginx/access.log

[nginx-error-common]
enabled  = true
port     = http,https
filter   = nginx-error-common
logpath  = /var/log/nginx/access.log

[nginx-forbidden]
enabled  = true
port     = http,https
filter   = nginx-forbidden
logpath  = /var/log/nginx/access.log

[nginx-http-auth]
enabled  = true
port     = http,https
filter   = nginx-http-auth
logpath  = /var/log/nginx/access.log

[nginx-limit-req]
enabled  = true
port     = http,https
filter   = nginx-limit-req
logpath  = /var/log/nginx/access.log

[sshd]
enabled  = true
port     = ssh
filter   = sshd[mode=aggressive]

Note that the above are for nginx filters that already come with fail2ban.

Starting and enabling Fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status

See also specific info for a given jail, such as:

sudo fail2ban-client status sshd

Reloading Fail2ban

(rarely have to use restart)

sudo systemctl reload fail2ban
sudo systemctl status fail2ban

Fail2ban-client

sudo fail2ban-client status

This will give statistics on number of jails, requests and bans.

Other Fail2ban commands

Systemd

Log files and Systemd

Systemd which is the default source for all filters as of Trixie, doesn't use the standard log files, and in some sense hides the actual files. Folks tend to answer to use journalctl to look at log files, but don't say where such files are kept. Here are a few ways to see stuff from fail2ban:

grep -rsh sshd /var/log |sort

journalctl _SYSTEMD_UNIT=sshd.service + _COMM=sshd

journalctl -u ssh.service

sudo dmesg | grep '\[UFW'

Python3-systemd

This may need to be installed

sudo apt install python3-systemd

Check if there would be a match vs. current logs:

To check whether fail2ban would match anything in systemd journal use fail2ban-regex:

## aggressive mode:
fail2ban-regex systemd-journal 'sshd[mode=aggressive]'

## messages only:
fail2ban-regex -o msg systemd-journal 'sshd[mode=aggressive]'

## normal mode:
fail2ban-regex systemd-journal sshd

## messages only:
fail2ban-regex -o msg systemd-journal sshd

grep -rsh fail2ban /var/log | goaccess --log-format=COMBINED

See also: How fail2ban works

We use cookies only for WordPress functionality, and do not use third-party analytics or tracking.
Accept
Privacy Policy