Setup Fail2ban for Debian and Ubuntu

My Notes Only taken from various sources. There are other much more complete guides for Fail2ban available.

Install Fail2ban

sudo apt-get install fail2ban

filter definitions located in /etc/fail2ban/filter.d
action definitions located in /etc/fail2ban/action.d

The following is a minimal setup.

Configure Fail2ban

sudo vi /etc/fail2ban/jail.conf

Configuration for jail.conf

destemail = you@example.com # Email of where alerts should be sent to
ignoreip = 127.0.0.1 0.0.0.0 # Your IPs that should not be jailed
findtime = 3600 # add this line - timespan to watch an IP / attacker
bantime = 604800 # jail time for an IP in seconds = 1 week
maxretry = 3
action = %(action_mw)s

Add the following option to /etc/conf.d/fail2ban to prevent socket problem
FAIL2BAN_OPTIONS=”-x”
The -x option will force fail2ban to overwrite the old socket

sudo service fail2ban restart

or

sudo /etc/init.d/fail2ban restart

Watch logs

tail -f /var/log/auth.log -f /var/log/fail2ban.log

Achtung! The documentation does not mention that all commands must be run as root (sudo) – you will get error messages with no answers otherwise

start		 starts the server and the jails
reload		 reloads the configuration
stop		 stops all jails and terminate the server
status		 gets the current status of the server
ping		 tests if the server is alive

sudo fail2ban-client -i

Options:
-c <DIR> configuration directory
-s <FILE> socket path
-d dump configuration. For debugging
-i interactive mode
-v increase verbosity
-q decrease verbosity
-x force execution of the server (remove socket file)
-h, –help display this help message
-V, –version print the version

Full list of Fail2ban Commands

http://www.fail2ban.org/wiki/index.php/Commands

Fail2ban Tools

My compilation of the most excellent The Art of Web

iptables -L

Test a filter against results

syntax
fail2ban-regex
example
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

Montior Fail2ban

iptables -vnL –line-numbers
watch -d ‘iptables -vnL –line-numbers’
fail2ban-client status ssh

Report Fail2Ban

awk ‘($(NF-1) = /Ban/){print $NF}’ /var/log/fail2ban.log | sort | uniq -c | sort -n
zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $NF}’ | sort | uniq -c
awk ‘($(NF-1) = /Ban/){print $NF,”(“$NF”)”}’ /var/log/fail2ban.log | sort | logresolve | uniq -c | sort -n
grep “Ban ” /var/log/fail2ban.log | awk -F[\ \:] ‘{print $10,$8}’ | sort | uniq -c | sort -n
grep “Ban ” /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk ‘{print $NF}’ | sort | awk ‘{print $1,”(“$1″)”}’ | logresolve | uniq -c | sort -n
zgrep -h “Ban ” /var/log/fail2ban.log* | awk ‘{print $5,$1}’ | sort | uniq -c

How To Ban IPs Using iptables


You may also like...