Fail2ban Configure
Install Fail2ban
sudo apt update
sudo apt install fail2ban
Check Installation
Once the installation is completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:
sudo systemctl status fail2ban
Configure Fail2ban
Create local configuration file
The configuration file are in /etc/fail2ban/jail.conf, /etc/fail2ban/jail.d/defaults-debian.conf.
Its best to not modify these, as they can be overwritten with an update.
The easiest way is, to copy the jail.conf to jail.local and edit this,
with your own configurations:
sudo cp /etc/fail2ban/jail.{conf,local}
You *.local file does not have to include all settings from
the corresponding .conf file, only those you want to override.
Edit configuration file
Open the *.local configuration file with your text editor:
sudo vim /etc/fail2ban/jail.local
The file includes comments describing what each configuration option does.
Whitelist IP Addresses
IP addresses, IP ranges, or hosts that you want to exclude from banning
can be added to the ignoreip directive.
You can add your local PC IP and all other machines that you want to whitelist.
Uncomment the line starting with ignoreip
and add your IP addresses separated by space:
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
Change Ban Settings
The values of bantime, findtime, and maxretry options
define the ban time and ban conditions.
bantime
Is the duration for which the IP is banned.
- When no suffix is specified, it defaults to seconds.
- By default, the
bantimevalue is set to 10 minutes.
Change the value to e.g. 1 day:
bantime = 1d
findtime
Is the duration between the number of failures before a ban is set.
- For example, if Fail2ban is set to ban an IP after five failures
those failures must occur within the
findtimeduration.
Change the value to e.g. 10 minutes:
findtime = 10m
maxretry
Is the number of failures before an IP is banned.
- The default value is set to five.
Change the value to e.g. 10 max retries:
maxretry = 10
Email Notifications
Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server. It works well with postfix
Change action to send emails
On the fail2ban server you need to change the default action,
which only bans the IP to %(action_)s, to:
action = %(action_mw)s
This action, bans the offending IP and sends an email with a whois report.
If you want to include the relevant logs in the email,
set the action to %(action_mwl)s.
Adjust mail addresses
You also need to adjust the sending and receiving email address:
destemail = youremailaddress@gmail.com
sender = fail2ban
Restart Fail2ban service
Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:
sudo systemctl restart fail2ban
Fail2ban Client
Fail2ban ships with a command-line tool named fail2ban-client, that you can use to interact with the Fail2ban service. This tool can be used to ban/unban IP addresses, change settings, restart the service, and more.
View all available options
fail2ban-client -h
Check the status of the server
sudo fail2ban-client status
Check the jail status
sudo fail2ban-client status sshd
Unban an IP
sudo fail2ban-client set sshd unbanip 23.34.45.56
Ban an IP
sudo fail2ban-client set sshd banip 23.34.45.56