How to: Fail2Ban

How to: Fail2Ban

Hello, fellow SysAdmin πŸ₯·

In the last few days on March 2023, Alhamdulillah I made several posts about Fail2Ban:

This is my first time to learn a firewall besides CSF and UFW.

Fail2ban scans log files (e.g. /var/log/httpd/error_log) and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc. Generally Fail2ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any other arbitrary action (e.g. sending an email) could also be configured. [ArchLinux wiki]

Installation Fail2Ban

To begin start using fail2ban, install the package with:

apt install fail2ban
for Debian based system
sudo yum update
sudo yum install epel-release
sudo yum update
sudo yum install fail2ban
for CentOS 8

Configuring Fail2Ban

The essential file when configuring fail2ban is a file with name jail.local. Jail.local contains all profiles to define services that we want to protect or you can call it "jail".

Basically jail.local override settings on jail.conf which is you should not to modify jail.conf directly, because jail.conf will probably be overwritten or improved in a distribution update.

in jail.local file, you can modify it to your needs.

[Default] settings will be applied in every jail and on jail section will override [default]. For example:

ignoreip = # Your IP address
ignorecommand =
bantime = 604800
findtime = 100
maxretry = 2
enabled = false
mta = msmtp


enabled = true
filter = sshd
banaction = iptables-allports
logpath = %(sshd_log)s
findtime = 1d
maxretry = 5


enabled = true
port = http,https
filter = wplogin
logpath = /var/lib/docker/containers/*/*-json.log
banaction = cloudflare-apiv4
bantime = 86400
example jail.local

You can see there are 2 same findtime and maxretry on different jails.

For specific [sshd] jail means that if there is failed attempt 5 times within 1 day, then the IP will be banned for 604800 seconds.
[sshd] jail define findtime and maxretry so it will override [default] settings.
For [cf-wplogin] jail means that if there is failed attempt twice within 100 seconds, then the IP will be banned for 86400 seconds.
[cf-wplogin] jail doesn't define findtime and maxretry, so it will use [default] settings. But it is defined bantime, so IPs will be banned for only 86400 seconds rather than using [default] which is 604800 seconds.

I do recommend you guys read more about fail2ban on Archwiki or the official github repository.

I hope it's useful, best regards

-Average SysAdmin