2.2 Auto-block login attempts (using fail2ban)

Fail2ban is a tool that blocks and bans ip addresses that have failed certain criteria, such as too many failed login attempts. This is very useful for preventing brute-force password guessing. Fail2ban blocks ip addresses using the iptables firewall, so if you skipped the previous section on iptables, go back there now.


sudo apt-get install fail2ban

After this it should start automatically, otherwise start it as usual with service fail2ban start.

Fail2ban uses filters to filter relevant information from logs. The filters are located in /etc/fail2ban/filter.d/, where you can add and edit the active filters.

The fail2ban logs, where you can read what, when and why fail2ban has decided to block a remote address, are written to /var/log/fail2ban.log.

Whenever an ip is banned, it is 'sent to jail'. There can be several jails for different offenses and sentences. Check which jails are active using:

fail2ban-client status

All default configurations are in the files /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf. I suggest having a look at their content. To override their rules, don't edit the files directly but instead create a file for your own custom settings, using the .local extension (e.q. /etc/fail2ban/jail.local).

Unbanning an IP

If you ever find an ip banned by mistake, here's a way to unban the ip without waiting. First, find the jail that's banning the ip:

sudo iptables -L

It'll say DROP somewhere, followed by an ip or hostname. Above it will be the name of the jail, e.g. if it reads fail2ban-ssh the jail name will be ssh. Use the jail name and hostname/ip to unban it with the following command:

sudo fail2ban-client get {jail name} actionunban {ip}

results matching ""

    No results matching ""