In this article, I will provide an example of how to install and configure Fail2ban.
The Fail2ban installation command in Ubuntu:
sudo apt-get install fail2ban
After installation, configure the configuration files located at:
/etc/fail2ban/fail2ban.conf (main)
/etc/fail2ban/jail.conf (security settings for specific services)
/etc/fail2ban/jail.local (additional file with a higher priority to configure the protection of specific services)
SSH protection is enabled by default after installation.
In the configuration there are already many ready-made settings, for example for apache2, nginx, named, pure-ftpd, proftpd, postfix, etc., which can be activated by setting “true” instead of “false”.
You can immediately specify IP that can not be blocked, for example, local networks:
ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Filters for which an unsuccessful attempt to enter the password and other unwanted actions are found in the /etc/fail2ban/filter.d directory and are included naturally in the configuration file /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local. And the response rules are in /etc/fail2ban/action.d.
Logs are normally written in /var/log/fail2ban.log
Viewing rules in iptables:
sudo iptables -S | grep fail2ban
View status:
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client status roundcube
sudo fail2ban-client status postfix
sudo fail2ban-client status dovecot
sudo fail2ban-client status proftpd
To restart fail2ban, you need to type:
sudo service fail2ban restart
An example of unblocking an IP address (or you can manually delete a rule in iptables):
sudo fail2ban-client set sshd unbanip "IP"
An example of unblocking all IP addresses:
sudo fail2ban-client unban --all
See also my articles:
- Configuring Fail2Ban for ProFTPd
- Configuring Fail2Ban for Asterisk
- Configuring Fail2Ban for Bind9
- rsyslogd: action ‘action-6-builtin:omfile’ resumed (module ‘builtin:omfile’)