Table of Contents

Fail2Ban

Installation

apt-get install fail2ban

Configuration

“jail.conf” maybe gets overwritten by updates. Create your own config file

cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Things you should edit

#Add any IP which you want NOT to be banned, use space for seperation
ignoreip = 127.0.0.1/8 192.168.178.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 1200
maxretry = 3

#Add this to check your ssh login attempts
[ssh]

enabled  = true
#port     = ssh
port     = 22
filter   = sshd
#action   = iptables[name=SSH, port=2022, protocol=tcp]
#           sendmail-whois-lines[name=SSH, dest="[email protected],[email protected]", [email protected], sendername="Fail2Ban", logpath=/var/log/auth.log]
logpath  = /var/log/auth.log
maxretry = 3

[vsftpd]

enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 3


# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]

enabled  = true
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysql/error.log

[repeatoffender]

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, [email protected], [email protected]]
logpath  = /var/log/fail2ban*
maxretry = 3
#findtime is 365 days
findtime = 31536000
bantime  = -1

Abusemails

Click the following link for more info about abuse automatisation
Blocklist

Commands

Unban

fail2ban-client set <JAIL> unbanip <IP>
#example
fail2ban-client set ssh unbanip 192.168.178.1 

Ban

fail2ban-client set <JAIL> banip <IP>
#example
fail2ban-client set ssh banip 192.168.178.1  

Other

Get a list of commands

fail2ban-client --help

Troubleshooting

IP gets banned everytime

An IP listed in “ignoreip” still gets banned everytime you reload/restart/start your Fail2ban service.

Reason:
The IP was banned before you added it to “ignoreip”

Fix:
The IP is added to the file “ip.blocklist.repeatoffender”.
Open the file and remove the IP.