Fail2ban is a tool that blocks and bans ip addresses that have failed certain criteria, such as too many failed login attempts. This is very useful for preventing brute-force password guessing. Fail2ban blocks ip addresses using the iptables firewall, so if you skipped the previous section on iptables, go back there now.
Install:
sudo apt-get install fail2ban
After this it should start automatically, otherwise start it as usual with service fail2ban start
.
Fail2ban uses filters to filter relevant information from logs. The filters are located in /etc/fail2ban/filter.d/
, where you can add and edit the active filters.
The fail2ban logs, where you can read what, when and why fail2ban has decided to block a remote address, are written to /var/log/fail2ban.log
.
Whenever an ip is banned, it is 'sent to jail'. There can be several jails for different offenses and sentences. Check which jails are active using:
fail2ban-client status
All default configurations are in the files /etc/fail2ban/fail2ban.conf
and /etc/fail2ban/jail.conf
. I suggest having a look at their content. To override their rules, don't edit the files directly but instead create a file for your own custom settings, using the .local
extension (e.q. /etc/fail2ban/jail.local
).
If you ever find an ip banned by mistake, here's a way to unban the ip without waiting. First, find the jail that's banning the ip:
sudo iptables -L
It'll say DROP
somewhere, followed by an ip or hostname. Above it will be the name of the jail, e.g. if it reads fail2ban-ssh
the jail name will be ssh
. Use the jail name and hostname/ip to unban it with the following command:
sudo fail2ban-client get {jail name} actionunban {ip}