Fail2ban: Difference between revisions

fail2Ban

Prevent Brute Force Attacks with Fail2Ban

bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

Tutorials

• https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04

See what firewall is used (nft or iptables)

$ cat /etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
...

Testing Fail2Ban

fail2ban-client set JAIL banip IP

After configuring Fail2Ban and nftables, you can test its ability to ban IP addresses by manually adding an IP to the banned list using fail2ban-client set JAIL banip IP and then verifying that the corresponding rule is added in the nftables ruleset ^{[1] [2]}

Fail2Ban Status

fail2ban-client status

Remove Entry

Find entry:

iptables -L
iptables -L -n

Clear entry:

iptables -D fail2ban-ssh -s [address] -j DROP

This is only temporary, and will be re-added when fail2ban is restarted

-

List all jails:

fail2ban-client status

List entries in jail:

fail2ban-client status [jail]
fail2ban-client status ssh

Unban an entry:

fail2ban-client get ssh actionunban [address]    # note this does not appear to work for me!

firewall - How to Unban an IP properly with Fail2Ban - Server Fault - http://serverfault.com/questions/285256/how-to-unban-an-ip-properly-with-fail2ban

Whitelist

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
                                                                         
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8

Whitelist - Fail2ban - http://www.fail2ban.org/wiki/index.php/Whitelist

keywords

fail2ban Fail2Ban FAIL2BAN