Skip to main content

Install Fail2Ban

Install Fail2Ban

Install Fai2Ban with the following command:

sudo apt install -y fail2ban

Configure Fail2Ban Defaults

Edit the default Fail2Ban config if you need to manually configure any jails (the .local file will override any settings in the .conf file:

sudo nano /etc/fail2ban/jail.local

Fail2Ban requires the use of a firewall on the server, which by default Fail2Ban uses iptables, but if you want to use UFW because it is easier to manage or for any other reason, you can change this over to use UFW instead of iptables with the following settings in the jail.local file:

[DEFAULT]
banaction = ufw
banaction_allports = ufw

If you need to whitelist any IPs add the following configuration to your [DEFAULT] section of the configuration and update accordingly:

ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 <Network Address>/<CIDR Mask>

To change the default number of failures in an allotted timeframe, add the following settings to the [DEFAULT] section to override the defaults of 5 failures in 10 minutes (adjust the values accordingly):

findtime  = 10m
maxretry = 5

Note:  You can use "s" for seconds, "m" for minutes, "h" for hours, and "d" for days.

To change the default ban time, add the following setting to the [DEFAULT] section to override the defaults of 10 minutes (adjust the value accordingly):

bantime  = 10m

Note:  You can use "s" for seconds, "m" for minutes, "h" for hours, and "d" for days, or use any negative number to permanently ban the IP address.

Create a new Filter and Jail

To create a new filter, we'll need to create a configuration file for our new jail using the following command (we're copying from an existing filter to help us get started and using HAProxy as an example):

sudo cp /etc/fail2ban/filter.d/haproxy-http-auth.conf /etc/fail2ban/filter.d/haproxy-sitename.conf
sudo nano /etc/fail2ban/filter.d/haproxy-sitename.conf

Next, you'll set up the filter accordingly by modifying the failregex line to match with the log file entries that you want to count as a failure for banning purposes (this could be 401 errors, 503 errors, etc).

Here's an example for filtering on an IP getting 401 errors:

failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401

Here's an example for filtering on an IP trying to access common file paths that are used to try to exploit servers:

failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.* {(www\.)?icstexas\.com} "(GET|POST) \/(wp-login\.php|router\.php|xmlrpc\.php|indoxploit\.php|wso\.php|admin\.php|upload\.php|shell\.php)\/? HTTP\/1\.1"$

If you're using UFW instead of iptables for your firewall, you'll need to set up an application profile for UFW so it knows what ports to block when Fail2Ban is triggered. Use the following command to create a new UFW application profile (here we're creating one for HAProxy's default front end running on ports 80 and 443):

sudo nano /etc/ufw/applications.d/haproxy-fe

Put the following configuration in the file and save it (adjust accordingly with the section being our Application Name we want to use:

[HAProxy Frontend]
title=HAProxy Standard Frontend for HTTP(S)
description=HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
ports=80,443/tcp

Now, we'll confirm our application profile is found by HAProxy using the following command:

sudo ufw app list

To create a new jail, we'll need to create a configuration file for our new jail using the following command:

sudo nano /etc/fail2ban/jail.d/haproxy-sitename.conf

Next, you'll set up the jail accordingly using examples in the main jail.conf file, or this example for HAProxy which will ban any client for 30 minutes if the HAProxy log file has any lines matching our filter 5 times in 10 minutes from the same IP address:

[haproxy-sitename]
enabled  = true
bantime  = 30m
findtime = 10m
maxretry = 5
logpath  = /var/log/haproxy.log
port     = http,https
action   = ufw[application="HAProxy Frontend"]

Note: All filenames and section names must match exactly for them to work together. Any naming differences will not allow the filter and jail to work properly.

When finished making any changes, restart the Fail2Ban service with the following command:

sudo service fail2ban restart

Checking Fail2Ban Jail Status

To check the status of a Fail2Ban jail, run the following command (using our haproxy-sitename as an example):

sudo fail2ban-client status haproxy-sitename

Unbanning an IP from a Jail

To unban an IP from a specific jail, use the following command:

sudo fail2ban-client set <Jail Name> unbanip <IP Address>

Manually banning an IP for a Jail

To manually ban an IP from a specific jail, use the following command:

sudo fail2ban-client set <Jail Name> banip <IP Address>

 

Back to top