Fail2ban is a security service that monitors the logs of common services (usually sshd and nginx). It uses a filter to identify an abnormality, then passes the IP address of the intruder to a firewall program (iptables or ufw, commonly).
Files and configuration
Install Fail2ban with sudo apt install fail2ban
.
The context for this configuration includes the use of Nginx and UFW. If one uses Apache and/or IPtables or other services, the configuration will differ. Note also that one can simply use Nginx to do the banning, if that is the only service one wants to use (and not have a firewall).
- Every
.conf
file can be overridden by a.local
file, and it reads the.conf
file first and then overrides with.local
. - The main files are
fail2ban.conf
andjail.conf
After installing fail2ban
the important file is a local /etc/fail2ban/jail.local
(though some instructions instead put a custom.conf
file in /etc/fail2ban/jail.d/
instead). Note that copying jail.conf
to jail.local
is a useless redundancy, as jail.local
overrides anything in jail.conf
.
Example Fail2ban jail.local file
[DEFAULT]
bantime = 1d
findtime = 1d
ignoreip = 127.0.0.1/8 192.168.0.0/16
maxretry = 1
banaction = ufw
banaction_allports = ufw
[nginx-bad-request]
enabled = true
port = http,https
filter = nginx-bad-request
logpath = /var/log/nginx/access.log
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
[nginx-error-common]
enabled = true
port = http,https
filter = nginx-error-common
logpath = /var/log/nginx/access.log
[nginx-forbidden]
enabled = true
port = http,https
filter = nginx-forbidden
logpath = /var/log/nginx/access.log
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/access.log
[nginx-limit-req]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/access.log
[sshd]
enabled = true
port = ssh
filter = sshd[mode=aggressive]
Note that the above are for nginx
filters that already come with fail2ban
.
Starting and enabling Fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status
See also specific info for a given jail, such as:
sudo fail2ban-client status sshd
Reloading Fail2ban
(rarely have to use restart)
sudo systemctl reload fail2ban
sudo systemctl status fail2ban
Fail2ban-client
sudo fail2ban-client status
This will give statistics on number of jails, requests and bans.
Other Fail2ban commands
- A variety of other Fail2ban commands
Systemd
Log files and Systemd
Systemd
which is the default source for all filters as of Trixie, doesn't use the standard log files, and in some sense hides the actual files. Folks tend to answer to use journalctl
to look at log files, but don't say where such files are kept. Here are a few ways to see stuff from fail2ban
:
grep -rsh sshd /var/log |sort
journalctl _SYSTEMD_UNIT=sshd.service + _COMM=sshd
journalctl -u ssh.service
sudo dmesg | grep '\[UFW'
Python3-systemd
This may need to be installed
sudo apt install python3-systemd
Check if there would be a match vs. current logs:
To check whether fail2ban would match anything in systemd journal use fail2ban-regex:
## aggressive mode:
fail2ban-regex systemd-journal 'sshd[mode=aggressive]'
## messages only:
fail2ban-regex -o msg systemd-journal 'sshd[mode=aggressive]'
## normal mode:
fail2ban-regex systemd-journal sshd
## messages only:
fail2ban-regex -o msg systemd-journal sshd
grep -rsh fail2ban /var/log | goaccess --log-format=COMBINED
See also: How fail2ban works