- Jonathan Haack
- Haack’s Networking
This tutorial is designed to help you install fail2ban and get a basic set of configurations in place. As always, these blog posts have an associated wiki post that receives updates and changes: fail2ban wiki post.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Once inside the configuration file jail.local edit the destination email and the action parameter. Read the conf file and decide which combination of m, w, l is right for your situation.
If you attempt to log in via ssh and fail within any 4 hour period 4 different times, then you are immediately blocked.
bantime = 1w
findtime = 240m
maxretry = 4
The recidive filter below states that the last 3 weeks will be reviewed and if the ip address in question was banned twice in that timeframe, then the stricter ban of 20 weeks takes effect.
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 20w
findtime = 3
maxretry = 2
In order for this to work, the database purge parameter needs to be adjusted to be greater than or equal to what you specify for the find time in recidive.
sudo nano /etc/fail2ban/fail2ban.conf
<dbpurgeage = 30d>
Okay, so far, fail2ban is installed, configured, and its service might even be running post-installation, but it it is not doing anything. In order for fail2ban to take effect, you need to insert
enabled = true within each element below.
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
After enabling the elements you are in need of, and once all of your other basic configuration changes are done, restart the service, and then check the logs to verify functionality and debug as needed. Verify what fail2ban has done to your iptables in order to enact the policies above.
sudo systemctl restart fail2ban.service
sudo tail -f /var/log/fail2ban.log
sudo iptables -L f2b-sshd
sudo fail2ban-client status
Hope this helps!
— //[[email@example.com|oemb1905]] 2019/11/02 19:20//