Menu
Article sysadmin

Fail2Ban

Troy Rippin

Troy Rippin

• 2 min read

Introduction

Fail2Ban is a free and open source software that helps in securing your Linux server against malicious logins. Fail2Ban will ban the IP (for a certain time) if there is a certain number of failed login attempts.

Installing Fail2Ban

sudo dnf install -y fail2ban

My Fail2Ban Settings File

Fail2Ban by default doesn’t really do much unless you adjust the settings file.

All configuration files are in /etc/fail2ban

Configuration file examples and defaults are in two main files /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf

My Config - /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
backend = systemd

Now in more complex service environments I would generally start adding services and programs like ssh-jail.conf to the /etc/fail2ban/jail.d/ directory. Any program that hackers use is typically always under watch, like WordPress installs for example:

/etc/fail2ban/jail.d/wordpress.conf

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
port = http,https
bantime = 300

Enabling Fail2Ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

How to Unban an IP in Fail2Ban?

Fail2Ban stores a list of all the IPs currently banned from connecting to your server. Run the following command to see all active jails on your server:

sudo fail2ban-client status

To see banned IPs for a specific jail (e.g., sshd), you can run the following command:

sudo fail2ban-client status sshd

Unban Specific IP in Fail2Ban

If you find that Fail2Ban banned your IP address, you can either wait for Fail2Ban to unban it or remove it automatically. An offending IP address is banned for 10 minutes by default, but server administrators can extend or reduce this.

However, if you don’t want to wait for the IP address to be automatically removed from the block list, then you can manually log in to your server and run the following command:

sudo fail2ban-client set JAIL unbanip IP_ADDRESS

example - sudo fail2ban-client set sshd unbanip 192.168.1.100

Whitelist Specific IP in Fail2Ban

If you have a static IP address or a corporate network where the list of IP ranges is fixed, you can whitelist these IP addresses. Once you add the addresses to the whitelist, these IP addresses will never get blocked, regardless of the number of failed attempts. Edit the Fail2Ban configuration file using the following command:

sudo vim -l /etc/fail2ban/jail.local

After opening the config file, you need to add the list of IP addresses to the ignoreip line. This will tell Fail2Ban to ignore these IP addresses in the future. By default, the 127.0.0.1/8 IP range is automatically whitelisted. If you want to add a specific IP, such as 192.168.1.100 then you can add this IP after it as shown below.

ignoreip = 127.0.0.1/8 ::1 192.168.1.100

Then reload the config with the following command:

sudo systemctl reload fail2ban

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors
Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
GitHubfail2ban
Share