How to: Fail2Ban
Hello, fellow SysAdmin 🥷
In the last few days on March 2023, Alhamdulillah I made several posts about Fail2Ban:
- Protect SSH with Fail2Ban
- Protect MySQL Auth with Fail2Ban
- Protect Nginx Auth with Fail2Ban
- Protect Wordpress Login in Docker container with Fail2Ban
- Fail2ban with Cloudflare
- Email Notification Fail2ban with MSMTP
This is my first time to learn a firewall besides CSF and UFW.
Fail2ban scans log files (e.g. /var/log/httpd/error_log
) and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc. Generally Fail2ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any other arbitrary action (e.g. sending an email) could also be configured. [ArchLinux wiki]
Installation Fail2Ban
To begin start using fail2ban, install the package with:
Configuring Fail2Ban
The essential file when configuring fail2ban is a file with name jail.local
. Jail.local contains all profiles to define services that we want to protect or you can call it "jail".
Basically jail.local
override settings on jail.conf
which is you should not to modify jail.conf
directly, because jail.conf
will probably be overwritten or improved in a distribution update.
in jail.local
file, you can modify it to your needs.
[Default] settings will be applied in every jail and on jail section will override [default]. For example:
You can see there are 2 same findtime
and maxretry
on different jails.
For specific [sshd] jail means that if there is failed attempt 5 times within 1 day, then the IP will be banned for 604800 seconds.
findtime
and maxretry
so it will override [default] settings.For [cf-wplogin] jail means that if there is failed attempt twice within 100 seconds, then the IP will be banned for 86400 seconds.
findtime
and maxretry
, so it will use [default] settings. But it is defined bantime
, so IPs will be banned for only 86400 seconds rather than using [default] which is 604800 seconds.I do recommend you guys read more about fail2ban on Archwiki or the official github repository.
I hope it's useful, best regards
-Average SysAdmin