apt-get install fail2ban
“jail.conf” maybe gets overwritten by updates. Create your own config file
cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Things you should edit
#Add any IP which you want NOT to be banned, use space for seperation ignoreip = 127.0.0.1/8 192.168.178.1 # "bantime" is the number of seconds that a host is banned. bantime = 86400 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 1200 maxretry = 3 #Add this to check your ssh login attempts [ssh] enabled = true #port = ssh port = 22 filter = sshd #action = iptables[name=SSH, port=2022, protocol=tcp] # sendmail-whois-lines[name=SSH, dest="[email protected],[email protected]", [email protected], sendername="Fail2Ban", logpath=/var/log/auth.log] logpath = /var/log/auth.log maxretry = 3 [vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 3 # To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 [mysqld-auth] enabled = true filter = mysqld-auth port = 3306 logpath = /var/log/mysql/error.log [repeatoffender] enabled = true filter = repeatoffender action = repeatoffender[name=repeatoffender] sendmail-whois[name=Repeat-Offender, [email protected], [email protected]] logpath = /var/log/fail2ban* maxretry = 3 #findtime is 365 days findtime = 31536000 bantime = -1
Click the following link for more info about abuse automatisation
Blocklist
fail2ban-client set <JAIL> unbanip <IP> #example fail2ban-client set ssh unbanip 192.168.178.1
fail2ban-client set <JAIL> banip <IP> #example fail2ban-client set ssh banip 192.168.178.1
Get a list of commands
fail2ban-client --help
An IP listed in “ignoreip” still gets banned everytime you reload/restart/start your Fail2ban service.
Reason:
The IP was banned before you added it to “ignoreip”
Fix:
The IP is added to the file “ip.blocklist.repeatoffender”.
Open the file and remove the IP.