≡ Menu

Fail2Ban Howto: Block IP Address Using Fail2ban and IPTables

Fail2ban scans log files for various services ( SSH, FTP, SMTP, Apache, etc., ) and bans the IP that makes too many password failures. It also updates the firewall rules to reject these ip addresses.

Fail2ban is an intrusion prevention framework written in the Python programming language.

Main purpose of Fail2ban is to prevent brute force login attacks.

Also, refer to our earlier article on Tripwire (Linux host based intrusion detection system).

Install Fail2ban

To install fail2ban from source, download it from sourceforge..

Use apt-get to install Fail2ban on a Debian based system as shown below.

# apt-get install fail2ban

You can also install Fail2ban manually by downloading the fail2ban deb package.

# dpkg -i fail2ban_0.8.1-1_all.deb

How to configure fail2ban

All Fail2ban configuration files are located under the /etc/fail2ban directory.

/etc/fail2ban/fail2ban.conf

Main purpose of this file is to configure fail2ban log related directives.

  • Loglevel: Set the log level output.
  • logtarget : Specify the log file path

Actions taken by the Fail2ban are logged in the /var/log/fail2ban.log file. You can change the verbosity in the conf file to one of: 1 – ERROR, 2 – WARN, 3 – INFO or 4 – DEBUG.

/etc/fail2ban/jail.conf

jail.conf file contains the declaration of the service configurations. This configuration file is broken up into different contexts. The DEFAULT settings apply to all sections.

The following DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).

[DEFAULT]
ignoreip = 127.0.0.1
maxretry = 5
findtime = 600
bantime = 600
  • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
  • maxretry: Maximum number of failed login attempts before a host is blocked by fail2ban.
  • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

Service Configurations

By default, some services are inserted as templates. Following is an example of the ssh services section.

[ssh]
enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
action = iptables
  • enabled : Enable the fail2ban checking for ssh service
  • port: service port ( referred in /etc/services file )
  • filter: Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’.
  • logpath: The log file that fail2ban checks for failed login attempts.
  • Action: This option tells fail2ban which action to take once a filter matches. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.

Fail2ban will monitor the /var/log/auth.log file for failed access attempts, and if it finds repeated failed ssh login attempts from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with fail2ban iptables firewall rule.

Fail2ban Filters

The directory /etc/fail2ban/filter.d contains regular expressions that are used to detect break-in attempts, password failures, etc., for various services.

For example:

  • sshd.conf – Fail2ban ssh related filters
  • apache-auth.conf – Fail2ban apache service filters

We can also add our own regular expression to find unwanted action.

Fail2ban Actions

The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.

For example:

  • IPtables.conf – block & unblock IP address
  • Mail.conf – Sending mail to configured user

Start/Stop Fail2ban Service

After making configuration changes stop and start the Fail2ban daemon as shown below.

# /etc/init.d/fail2ban stop

# /etc/init.d/fail2ban start
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • guest June 2, 2013, 6:34 am

    how to unban?

  • Babin lonston August 1, 2013, 10:43 am

    This help me a lot Superb …

  • jasin August 14, 2013, 5:51 am

    @Guest

    Unban is done automatically according to the time you set the ban for. If you want a permanent ban then you set a negative number for ‘bantime’

    While fail2ban is a great program, basic brute force security involves also turning off root login. I noticed over half of my brute force attacks where on the root user.

  • Huh October 22, 2013, 5:36 pm

    So the title is “Block IP address” yet it does not show how to explicitly block an IP address.

    If you add it manually to iptables, fail2ban will not keep it and iptables will lose it next time you restart fail2ban.

    Tip: Use csf. It’s much more powerful, configurable, and does not have basic logic flaws like fail2ban.

    For those like me stuck because someone else installed fail2fail, on too google to find how to explicitly ban an IP …

  • anonymous October 18, 2014, 3:23 am

    Thank U. Your articles are really helpful. Please write articles about SELINUX.

  • Ranger April 29, 2017, 10:38 am

    Great tutorial