skip to content

Search
Syspirit
EN

Fail2Ban

Server protection with Fail2Ban - configuration, monitoring, and ban management!

Linux
Published on
Karl Certa
#fail2ban #security #linux #iptables

Fail2Ban is a protection service that analyzes system logs to detect intrusion attempts and automatically bans suspicious IP addresses by applying firewall rules (iptables, nftables, firewalld, etc.) or other configurable actions.

⚙️ Service Management

📌 Action🧠 Command
▶️ Start servicesudo systemctl start fail2ban
⏹️ Stop servicesudo systemctl stop fail2ban
🔁 Restart servicesudo systemctl restart fail2ban
🔄 Reload configsudo fail2ban-client reload
📊 Service statussudo systemctl status fail2ban
🚀 Enable at bootsudo systemctl enable fail2ban
🔍 View system logssudo journalctl -u fail2ban -f

📋 Monitoring and Status

📌 Action🧠 Command
📊 General statussudo fail2ban-client status
🔍 Jail detailssudo fail2ban-client status sshd
📋 List active jailssudo fail2ban-client status | grep "Jail list"
📊 Jail statisticssudo fail2ban-client status <jail>
🔢 Fail2Ban versionsudo fail2ban-client version
📜 Real-time logssudo tail -f /var/log/fail2ban.log

🚫 Ban Management

📌 Action🧠 Command
👁️ View banned IPssudo fail2ban-client status <jail>
🚫 Ban an IPsudo fail2ban-client set <jail> banip <IP>
🔓 Unban an IPsudo fail2ban-client set <jail> unbanip <IP>
🗑️ Unban all IPssudo fail2ban-client unban --all
🔍 Search banssudo grep "Ban " /var/log/fail2ban.log
🔓 Search unbanssudo grep "Unban " /var/log/fail2ban.log

📂 Configuration

📌 File🧠 Description
/etc/fail2ban/jail.confDefault configuration (do not modify)
/etc/fail2ban/jail.localCustom configuration (recommended)
/etc/fail2ban/filter.d/Filters for log analysis
/etc/fail2ban/action.d/Actions to execute when banning
/var/log/fail2ban.logFail2Ban logs

🔒 Jail Configuration

📌 Parameter🧠 Description📊 Example
enabledEnable/disable the jailtrue
portPort(s) to protectssh,22
filterFilter to usesshd
logpathPath to the log file/var/log/auth.log
maxretryMaximum number of attempts5
bantimeBan duration (seconds)3600
findtimeTime window for counting attempts600

📝 Configuration Examples

Basic SSH Configuration (protect SSH connections)

[sshd]
enabled = true          # Enable this jail
port = ssh              # Protect SSH port (22)
filter = sshd           # Use built-in SSH filter
logpath = /var/log/auth.log  # Analyze this log file
maxretry = 5            # 5 max attempts before banning
bantime = 3600          # Ban for 1 hour (3600 sec)
findtime = 600          # Within a 10-minute window

Simple Web Configuration (protect web server)

[apache-auth]
enabled = true
port = http,https       # Protect ports 80 and 443
filter = apache-auth    # Filter for Apache
logpath = /var/log/apache2/error.log
maxretry = 3            # Stricter: only 3 attempts
bantime = 7200          # Ban for 2 hours

🛡️ Common Jails

📌 Service🧠 Jail📊 Port(s)
🔐 SSHsshdssh,22
🌐 Apacheapache-authhttp,https
🌐 Nginxnginx-http-authhttp,https
📧 Postfixpostfixsmtp,465,587
📧 Dovecotdovecotpop3,imap,993,995
📡 FTPvsftpdftp,21
🗄️ MySQLmysqld-auth3306

🔍 Testing and Troubleshooting

📌 Action🧠 Command
✅ Test a filtersudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
🔄 Reload a jailsudo fail2ban-client reload <jail>
⏹️ Stop a jailsudo fail2ban-client stop <jail>
▶️ Start a jailsudo fail2ban-client start <jail>
🔍 Check iptables rulessudo iptables -L -n | grep fail2ban
🗑️ Clean iptables rulessudo iptables -F fail2ban-<jail>

🛠️ Common Troubleshooting

🆘 Problem🧠 Solution
❌ Service won’t startCheck config file syntax
📜 Logs not analyzedCheck logpath path
🚫 IPs not bannedTest filter with fail2ban-regex
🔧 iptables issueRestart fail2ban
💾 Too much memory usedReduce findtime and clean logs
📊 Empty statisticsCheck that logs are being generated