What is fail2ban ?
fail2ban is a popular security framework to block malicious IPs addresses by scanning log files. It is written in Python.
To install Fail2ban on Ubuntu 18.04, follow below steps.
sudo apt update sudo apt install -y fail2ban
In /etc/fail2ban , you can find number of config files. As per standard practice, we should not edit them directly. Instead local files should be created, which override original files. Lets create local files first.
touch /etc/fail2ban/fail2ban.local touch /etc/fail2ban/jail.local
A local file doesn’t have to include everything from the corresponding config file, only those settings that you wish to override.
Open /etc/fail2ban/fail2ban.conf in your favourite editor like VIM or nano. Here you can see common options like loglevels, log locations, pid file location etc. You can define them again in /etc/fail2ban/fail2ban.local to change values. Most of time, you don’t need to change them.
[Defination] # change loglevel - CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG loglevel = INFO # change log file location if required logtarget = /var/log/fail2ban.log # change pidfile location if required pidfile = /var/run/fail2ban/fail2ban.pid
Now open /etc/fail2ban/jail.conf file. Configurations of jails are stored here. First comes DEFAULT section. After DEFAULT section, jails for individual applications are added. Default values for jails are added in DEFAULT section. So we only need to override required options in individual jails. All jails are disabled by default. We will enable them in jail.local file. Lets open /etc/fail2ban/jail.local and add below content.
[DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 15m # A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 15m # "maxretry" is the number of failures before a host get banned. maxretry = 6
How to enable common Jails
After overriding DEFAULT section, lets enable jails for common applications. Add below content in /etc/fail2ban/jail.local to enable them.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4
# jail for apache auth [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true logpath = /var/log/apache*/*error.log [apache-badbots] enabled = true logpath = /var/log/apache*/*access.log
[nginx-http-auth] enabled = true [nginx-botsearch] enabled = true
Now save file and start fail2ban using below commands.
Once configuration is done. You can start fail2ban service using below commands.
# start service systemctl start fail2ban.service # see current status of service - is it running or not systemctl status fail2ban.service # stop fail2ban service systemctl stop fail2ban.service # restart fail2ban systemctl restart fail2ban.service # enable service to start on reboot systemctl enable fail2ban.service
How to see which jails are enabled
To see which jails are enabled use below command
How to ignore own IPs
To stop blocking our own IPs, we can added them in DEFAULT section as below
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/32
How to unblock IP
Many times we can end blocking our own IPs by mistakes. e.g. suppose your colleague forgot SSH password and tried SSH login many times with wrong password triggering blocking his own IP. You can check if IP is really blocking by viewing IP table rules using below command.
Another way to see such IPs is using fail2ban-client. Run below command to see IPs blocked by specific jail.
fail2ban-client status <jailname> e.g. fail2ban-client status sshd
In such cases, you can easily unblock ip using below command.
fail2ban-client set <jailname> unbanip <ip-address> e.g. fail2ban-client set ssh unbanip 192.168.0.1
How to block IP manually
To block IP manually, use below command
fail2ban-client set <jailname> banip <ip-address> e.g. fail2ban-client set ssh banip 192.168.0.1