HxHippy

fail2ban Intrusion Prevention

Protect services from brute-force attacks with fail2ban.

Last updated: 2025-01-15

fail2ban Configuration

fail2ban monitors logs and bans IPs showing malicious behavior.

Installation

# Debian/Ubuntu
sudo apt install fail2ban

# RHEL/CentOS
sudo dnf install fail2ban

# Enable and start
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configuration

Local Override File

# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
ignoreip = 127.0.0.1/8 192.168.1.0/24

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Jail Configuration

# /etc/fail2ban/jail.d/nginx.local
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3

[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 2

Managing Bans

# Check jail status
sudo fail2ban-client status
sudo fail2ban-client status sshd

# Manually ban IP
sudo fail2ban-client set sshd banip 1.2.3.4

# Unban IP
sudo fail2ban-client set sshd unbanip 1.2.3.4

# View all bans
sudo fail2ban-client banned

Custom Filter Example

# /etc/fail2ban/filter.d/myapp.conf
[Definition]
failregex = ^<HOST> - - .*"(GET|POST).*/login.*" 401
ignoreregex =

Action Types

Action Effect
iptables Firewall block
iptables-multiport Block multiple ports
sendmail Email notification
slack Slack notification

Testing

# Test filter against log
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

# Debug mode
fail2ban-client -d
beginner Tools Updated 2025-01-15
  • fail2ban
  • brute force
  • intrusion prevention
  • ssh protection
  • firewall