Hello, fellow SysAdmin π₯·
In the last few days on March 2023, Alhamdulillah I made several posts about Fail2Ban:
- Protect SSH with Fail2Ban
- Protect MySQL Auth with Fail2Ban
- Protect Nginx Auth with Fail2Ban
- Protect Wordpress Login in Docker container with Fail2Ban
- Fail2ban with Cloudflare
- Email Notification Fail2ban with MSMTP
This is my first time to learn a firewall besides CSF and UFW.
Fail2ban scans log files (e.g. /var/log/httpd/error_log) and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc. Generally Fail2ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any other arbitrary action (e.g. sending an email) could also be configured. [ArchLinux wiki]Installation Fail2Ban
To begin start using fail2ban, install the package with:
apt install fail2bansudo yum update
sudo yum install epel-release
sudo yum update
sudo yum install fail2banConfiguring Fail2Ban
The essential file when configuring fail2ban is a file with name jail.local. Jail.local contains all profiles to define services that we want to protect or you can call it "jail".
Basically jail.local override settings on jail.conf which is you should not to modify jail.conf directly, because jail.conf will probably be overwritten or improved in a distribution update.
in jail.local file, you can modify it to your needs.
[Default] settings will be applied in every jail and on jail section will override [default]. For example:
[DEFAULT]
ignoreip = 127.0.0.1/8 # Your IP address
ignorecommand =
bantime = 604800
findtime = 100
maxretry = 2
enabled = false
mta = msmtp
[sshd]
enabled = true
filter = sshd
banaction = iptables-allports
logpath = %(sshd_log)s
findtime = 1d
maxretry = 5
[cf-wplogin]
enabled = true
port = http,https
filter = wplogin
logpath = /var/lib/docker/containers/*/*-json.log
banaction = cloudflare-apiv4
iptables-allports
bantime = 86400You can see there are 2 same findtime and maxretry on different jails.
For specific [sshd] jail means that if there is failed attempt 5 times within 1 day, then the IP will be banned for 604800 seconds.
findtime and maxretry so it will override [default] settings.For [cf-wplogin] jail means that if there is failed attempt twice within 100 seconds, then the IP will be banned for 86400 seconds.
findtime and maxretry, so it will use [default] settings. But it is defined bantime, so IPs will be banned for only 86400 seconds rather than using [default] which is 604800 seconds.I do recommend you guys read more about fail2ban on Archwiki or the official github repository.
I hope it's useful, best regards
-Average SysAdmin