====== Fail2Ban ======

===== Installation =====

<code>apt-get install fail2ban</code>

===== Configuration =====

"jail.conf" maybe gets overwritten by updates. Create your own config file
<code>cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>


Things you should edit
<code>
#Add any IP which you want NOT to be banned, use space for seperation
ignoreip = 127.0.0.1/8 192.168.178.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 1200
maxretry = 3

#Add this to check your ssh login attempts
[ssh]

enabled  = true
#port     = ssh
port     = 22
filter   = sshd
#action   = iptables[name=SSH, port=2022, protocol=tcp]
#           sendmail-whois-lines[name=SSH, dest="fail2ban@blocklist.de,YOURMAIL@MAIL.COM", sender=fail2ban@YOURSERVER.COM, sendername="Fail2Ban", logpath=/var/log/auth.log]
logpath  = /var/log/auth.log
maxretry = 3

[vsftpd]

enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 3


# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]

enabled  = true
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysql/error.log

[repeatoffender]

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, dest=YOURMAIL@MAIL.COM, sender=fail2ban@YOURSERVER.COM]
logpath  = /var/log/fail2ban*
maxretry = 3
#findtime is 365 days
findtime = 31536000
bantime  = -1

</code>

===== Abusemails =====

Click the following link for more info about abuse automatisation\\
[[linux:ubuntu:blocklist|Blocklist]]

===== Commands =====

==== Unban ====

<code>
fail2ban-client set <JAIL> unbanip <IP>
#example
fail2ban-client set ssh unbanip 192.168.178.1 
</code>

==== Ban ====

<code>
fail2ban-client set <JAIL> banip <IP>
#example
fail2ban-client set ssh banip 192.168.178.1  
</code>

==== Other ====

Get a list of commands
<code>fail2ban-client --help</code>

===== Troubleshooting =====

==== IP gets banned everytime ====

An IP listed in "ignoreip" still gets banned everytime you reload/restart/start your Fail2ban service.\\

__Reason:__ \\
The IP was banned before you added it to "ignoreip"  \\

__Fix:__ \\
The IP is added to the file "ip.blocklist.repeatoffender". \\
Open the file and remove the IP.