Hello, fellow SysAdmin 🥷
In the last few days on March 2023, Alhamdulillah I made several posts about Fail2Ban:
- Protect SSH with Fail2Ban
- Protect MySQL Auth with Fail2Ban
- Protect Nginx Auth with Fail2Ban
- Protect Wordpress Login in Docker container with Fail2Ban
- Fail2ban with Cloudflare
- Email Notification Fail2ban with MSMTP
This is my first time to learn a firewall besides CSF and UFW.
Fail2ban scans log files (e.g.
/var/log/httpd/error_log) and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc. Generally Fail2ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any other arbitrary action (e.g. sending an email) could also be configured. [ArchLinux wiki]
To begin start using fail2ban, install the package with:
The essential file when configuring fail2ban is a file with name
jail.local. Jail.local contains all profiles to define services that we want to protect or you can call it "jail".
jail.local override settings on
jail.conf which is you should not to modify
jail.conf directly, because
jail.conf will probably be overwritten or improved in a distribution update.
jail.local file, you can modify it to your needs.
[Default] settings will be applied in every jail and on jail section will override [default]. For example:
You can see there are 2 same
maxretry on different jails.
For specific [sshd] jail means that if there is failed attempt 5 times within 1 day, then the IP will be banned for 604800 seconds.
maxretryso it will override [default] settings.
For [cf-wplogin] jail means that if there is failed attempt twice within 100 seconds, then the IP will be banned for 86400 seconds.
maxretry, so it will use [default] settings. But it is defined
bantime, so IPs will be banned for only 86400 seconds rather than using [default] which is 604800 seconds.
I hope it's useful, best regards