Fail2Ban scans log files and bans IP addresses that make too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache Web server logs.



How to: Install and Configure Fail2Ban


Downloading and Installing Fail2Ban


You can use the built in package managers to install Fail2Ban.


1. Ubuntu/Debian

apt-get install fail2ban


2. CentOS

yum install epel-release
yum install fail2ban fail2ban-systemd


Configuring Fail2Ban Settings


Fail2Ban will operate with default settings, but there are certain settings which may be of interest to edit.


Instead of editing the /etc/fail2ban/jail.conf file directly we will make a copy /etc/fail2ban/jail.local

cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Note: The .local file settings override the .conf ones.


To open the file using nano enter the command

nano /etc/fail2ban/jail.local


A typical jail configuration will look like:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3


There are a few important settings to take note of:

  • Ignoreip IP addresses Fail2Ban will ignore. If you connect from a static IP address you can add your own here to prevent getting locked out on failed attempts.
  • Bantime The duration in seconds an IP address will be banned for.
  • Findtime The amount of time a number of failed connections will result in a ban.
  • Maxretry The number of retries allowed during the defined FIndtime to determine is an address is banned.

Configure these settings to your desired values to customize how your Fail2Ban operates.


For CentOS we need to create the local jail configuration


1. Create a local jail config for sshd

nano /etc/fail2ban/jail.d/sshd.local


2. Apply the settings

[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400


Note: Make sure you restart the Fail2Ban service for configuration changes to take effect.


1. Ubuntu/Debian

service fail2ban restart

2. CentOS

systemctl restart fail2ban


Operating Fail2Ban


Now that Fail2Ban is up and running there are a few useful commands to be aware of. Fail2ban uses fail2ban-client for most operations.


1. To check to see which jails are running

fail2ban-client status


2. To check the ssh jail status and get a list of banned IPs

Ubuntu/Debian

fail2ban-client -v status ssh

CentOS

fail2ban-client -v status sshd


3. You can also check iptables for a list of banned IPs

iptables -L -n


4. To remove a banned IP from the ssh jail

Ubuntu/Debian

fail2ban-client set ssh unbanip IPADDRESS

CentOS

fail2ban-client set sshd unbanip IPADDRESS


5. To manually ban an IP

Ubuntu/Debian

fail2ban-client set ssh banip IPADDRESS

CentOS

fail2ban-client set sshd banip IPADDRESS


Note: Refer to the Fail2Ban manual pages for more detailed command information

Ubuntu/Debian

man fail2ban-client
man fail2ban-server

CentOS

fail2ban-client --help
fail2ban-server --help



Viewing Log Files


It can be useful to view the log files to track failed login attempts.


1. Ubuntu/Debian

cat /var/log/auth.log | grep 'Failed password'


2. CentOS

cat /var/log/secure | grep 'Failed password'


Now you have the tools to customize and use Fail2Ban to prevent brute force logins on your VPS!


For additional resources on specifics of using Fail2Ban, please consult Fail2ban Support and Community reference material:



Fail2Ban Wiki

Fail2Ban Documentation

Fail2Ban FAQ