Installing And Using Fail2Ban

Fail2Ban is a firewall application that looks at your log files all the time, if it sees something in the logs that triggers a rule you set (called jails) such as X failed ssh login attempts, it will ban the offending ip for X seconds

Installing Fail2Ban

Configure Fail2Ban

Copy the example configuration over

Open the configuration file for editing

Modify The Default Settings

In the default section of the configuration file you will find the following entries. Make sure your ignoreip setting is set as below to make sure fail2ban bypasses any log file entries that come from the server itself.

The bantime and maxretry entries are generic settings for setting how long fail2ban will block the offending ip address and how many times an entry has to show up in a log file before a banning action is taken. These settings will be the default bantime and maxretry settings for all jails but can be overridden in each jail configuration.

Getting Email Notifications Of Banned IP's

You need to have sendmail or another mail transfer agent installed in order for this function to work....installing and configuring that is out of the scope of this how to.

In the configuration file look for the line below and change the email address to your email address.

Then look for the following line

and change it to

This will send an email to you every time fail2ban bans an ipaddress. It will also include whois information for the ip address.

Jail Configuration

Jails are the rules which fail2ban uses to analyze logs and then take action on. Some of the sections below may be included in your configuration file. If they are feel free to modify them like below, if the following don't exist you can copy and paste the following to protect each given service. If you don't run the service there's no need to add the jail. Each jail section is pretty much the same:

Below are some jails that come with Fail2Ban by default and help protect them. Feel free to tweak them as your site needs/allows

Start Fail2Ban Service

Once done, restart fail2ban to put your settings into effect

Testing Installation

To test fail2ban, look at iptable rules

Attempt to trigger a service that fail2ban is monitoring (from another machine as any local traffic fail2ban will not be analyzed)....such as log into ssh 3 times and put in a wrong password....then look at the iptable rules again to see if your ip address is blocked

Add Custom Filters

If you wish to tweak or add log filters, you can add them in: /etc/fail2ban/filter.d

There are lots of third party scripts out there that you can get and add onto your installtion for things like oracle / postgres / sendmail / etc etc etc

Just remember to add them to your jail's as well and restart the fail2ban service in order to activate them