fail2ban Configuration
fail2ban monitors logs and bans IPs showing malicious behavior.
Installation
# Debian/Ubuntu
sudo apt install fail2ban
# RHEL/CentOS
sudo dnf install fail2ban
# Enable and start
sudo systemctl enable fail2ban
sudo systemctl start fail2banConfiguration
Local Override File
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
ignoreip = 127.0.0.1/8 192.168.1.0/24
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 24hJail Configuration
# /etc/fail2ban/jail.d/nginx.local
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2Managing Bans
# Check jail status
sudo fail2ban-client status
sudo fail2ban-client status sshd
# Manually ban IP
sudo fail2ban-client set sshd banip 1.2.3.4
# Unban IP
sudo fail2ban-client set sshd unbanip 1.2.3.4
# View all bans
sudo fail2ban-client bannedCustom Filter Example
# /etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = ^<HOST> - - .*"(GET|POST).*/login.*" 401
ignoreregex =Action Types
| Action | Effect |
|---|---|
| iptables | Firewall block |
| iptables-multiport | Block multiple ports |
| sendmail | Email notification |
| slack | Slack notification |
Testing
# Test filter against log
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
# Debug mode
fail2ban-client -d - fail2ban
- brute force
- intrusion prevention
- ssh protection
- firewall