Fail2ban

Installing Fail2ban

It operates by monitoring log files for certain type of entries and runs predetermined actions based on its findings. You can install the software with the following

sudo aptitude install fail2ban

Once installed, copy the default jail.conf file to make a local configuration with this command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then open the new local configuration file for edit with your favourite text editor, for example

sudo nano /etc/fail2ban/jail.local

Scroll down to go through some of the settings available in the configuration file.

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

[sshd]
enabled = true

When you’ve enabled all the jails you wish, save the configuration file and exit the editor. Then you’ll need to restart the monitor with the following command

sudo service fail2ban restart

With that done, you should now check your iptable rules for the newly added jail sections on each of the application modules you enabled.

sudo iptables -L

Unban the IP address

Any banned IP addresses will appear in the specific chains that the failed login attempts occurred at. You can also manually ban and unban IP addresses from the services you defined jails for with the following commands.

sudo fail2ban-client set <jail> banip/unbanip <ip address>

# For example

sudo fail2ban-client set sshd unbanip 83.136.253.43

Commands

The commands presented above can be executed using:

fail2ban-client <COMMAND>

# or

fail2ban-client -i

Basic

start 		starts the server and the jails
reload 		reloads the configuration
reload <JAIL> 		reloads the jail <JAIL>
stop 		stops all jails and terminate the server
status 		gets the current status of the server
ping 		tests if the server is alive
help 		return this output 

Logging

set loglevel <LEVEL> #sets logging level to <LEVEL>. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
get loglevel #gets the logging level
set logtarget <TARGET> #sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file
get logtarget #gets logging target
flushlogs #flushes the logtarget if a file and reopens it. For log rotation. 

Database

set dbfile <FILE> #set the location of fail2ban persistent datastore. Set to "None" to disable
get dbfile #get the location of fail2ban persistent datastore
set dbpurgeage <SECONDS> #sets the max age in <SECONDS> that history of bans will be kept
get dbpurgeage #gets the max age in seconds that history of bans will be kept 

Jail control

add <JAIL> <BACKEND> #creates <JAIL> using <BACKEND>
start <JAIL> #starts the jail <JAIL>
stop <JAIL> #stops the jail <JAIL>. The jail is removed
status <JAIL> #gets the current status of <JAIL> 

Jail configuration

off #sets the idle state of <JAIL>
set <JAIL> addignoreip <IP> #adds <IP> to the ignore list of <JAIL>
set <JAIL> delignoreip <IP> #removes <IP> from the ignore list of <JAIL>
set <JAIL> dellogpath <FILE> #removes <FILE> from the monitoring list of <JAIL>
set <JAIL> logencoding <ENCODING> #sets the <ENCODING> of the log files for <JAIL>
set <JAIL> addjournalmatch <MATCH> #adds <MATCH> to the journal filter of <JAIL>
set <JAIL> deljournalmatch <MATCH> #removes <MATCH> from the journal filter of <JAIL>
set <JAIL> addfailregex <REGEX> #adds the regular expression <REGEX> which must match failures for <JAIL>
set <JAIL> delfailregex <INDEX> #removes the regular expression at <INDEX> for failregex
set <JAIL> ignorecommand <VALUE> #sets ignorecommand of <JAIL>
set <JAIL> delignoreregex <INDEX> #removes the regular expression at <INDEX> for ignoreregex
set <JAIL> findtime </span> #sets the number of seconds <TIME> for which the filter will look back for <JAIL>
set <JAIL> bantime <TIME> #sets the number of seconds <TIME> a host will be banned for <JAIL>
set <JAIL> datepattern <PATTERN> #sets the <PATTERN> used to match date/times for <JAIL>
set <JAIL> usedns <VALUE> #sets the usedns mode for <JAIL>
set <JAIL> banip <IP> #manually Ban <IP> for <JAIL>
set <JAIL> unbanip <IP> #manually Unban <IP> in <JAIL>
set <JAIL> maxretry <RETRY> #sets the number of failures <RETRY> before banning the host for <JAIL>
set <JAIL> maxlines <LINES> #sets the number of <LINES> to buffer for regex search for <JAIL>
set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>] #adds a new action named <NAME> for <JAIL>. Optionally for a Python based action, a <PYTHONFILE> and <JSONKWARGS> can be specified, else will be a Command Action
set <JAIL> delaction <ACT> #removes the action <ACT> from <JAIL> 

Jail information

get <JAIL> logpath #gets the list of the monitored files for <JAIL>
get <JAIL> logencoding #gets the encoding of the log files for <JAIL>
get <JAIL> journalmatch #gets the journal filter match for <JAIL>
get <JAIL> ignoreip #gets the list of ignored IP addresses for <JAIL>
get <JAIL> ignorecommand #gets ignorecommand of <JAIL>
get <JAIL> failregex #gets the list of regular expressions which matches the failures for <JAIL>
get <JAIL> ignoreregex #gets the list of regular expressions which matches patterns to ignore for <JAIL>
get <JAIL> findtime #gets the time for which the filter will look back for failures for <JAIL>
get <JAIL> bantime #gets the time a host is banned for <JAIL>
get <JAIL> datepattern #gets the patern used to match date/times for <JAIL>
get <JAIL> usedns #gets the usedns setting for <JAIL>
get <JAIL> maxretry #gets the number of failures allowed for <JAIL>
get <JAIL> maxlines #gets the number of lines to buffer for <JAIL>
get <JAIL> actions #gets a list of actions for <JAIL> 

source