Jeff McNeill > Articles > Software > Linux > Fail2ban

Fail2ban

by

Fail2ban is a security service that monitors the logs of common services (usually sshd and nginx). It uses a filter to identify an abnormality, then passes the IP address of the intruder to a firewall program (iptables or ufw, commonly).

Contents
Files and configuration
Example Fail2ban jail.local file
Starting and enabling Fail2ban
Reloading Fail2ban
Fail2ban-client
Other Fail2ban commands

Files and configuration

Install Fail2ban with sudo apt install fail2ban.

The context for this configuration includes the use of Nginx and UFW. If one uses Apache and/or IPtables or other services, the configuration will differ. Note also that one can simply use Nginx to do the banning, if that is the only service one wants to use (and not have a firewall).

  • Every .conf file can be overridden by a .local file, and it reads the .conf file first and then overrides with .local.
  • The main files are fail2ban.conf and jail.conf

After installing fail2ban the important file is a local /etc/fail2ban/jail.local (though some instructions instead put a custom.conf file in /etc/fail2ban/jail.d/ instead). Note that copying jail.conf to jail.local is a useless redundancy, as jail.local overrides anything in jail.conf.

Example Fail2ban jail.local file

[DEFAULT]
bantime = 1d
findtime = 1d
ignoreip = 127.0.0.1/8 192.168.0.0/16
maxretry = 1

banaction = ufw
banaction_allports = ufw

[nginx-bad-request]
enabled  = true
port     = http,https
filter   = nginx-bad-request
logpath  = /var/log/nginx/access.log

[nginx-botsearch]
enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /var/log/nginx/access.log

[nginx-error-common]
enabled  = true
port     = http,https
filter   = nginx-error-common
logpath  = /var/log/nginx/access.log

[nginx-forbidden]
enabled  = true
port     = http,https
filter   = nginx-forbidden
logpath  = /var/log/nginx/access.log

[nginx-http-auth]
enabled  = true
port     = http,https
filter   = nginx-http-auth
logpath  = /var/log/nginx/access.log

[nginx-limit-req]
enabled  = true
port     = http,https
filter   = nginx-limit-req
logpath  = /var/log/nginx/access.log

[sshd]
enabled  = true
port     = ssh
filter   = sshd

Note that the above are for nginx filters that already come with fail2ban.

Starting and enabling Fail2ban

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status

Reloading Fail2ban

(rarely have to use restart)

sudo systemctl reload fail2ban
sudo systemctl status fail2ban

Fail2ban-client

sudo fail2ban-client status

This will give statistics on number of jails, requests and bans.

Other Fail2ban commands

We use cookies only for WordPress functionality, and do not use third-party analytics or tracking.
Accept
Privacy Policy