Fail2Ban is a log parsing utility that scans log files of various processes and bans IP addresses that make too many password failures. When an attempted login is located, Fail2Ban will add a new rule to iptables to block the IP address of the attacker, either temporarily or permanently. It can also alert you via email for the same.
It is primarily focused on detecting intrusions via SSH but it can be configured to work with any service that uses log files.
A Fedora 33 or a CentOS 8 based server with a non-root user with sudo privileges.
Install Nano editor because that’s what we will use.
$ sudo dnf install nano -y
To install Fail2Ban on CentOS 8, you need to install EPEL Yum repository first.
$ sudo dnf install epel-release
Fedora 33 ships with Fail2Ban.
Run the following command to install Fail2Ban on both Fedora 33 and CentOS 8.
$ sudo dnf install fail2ban
Once installed, we need to enable the service.
$ sudo systemctl enable fail2ban
Next, start the fail2ban service.
$ sudo systemctl start fail2ban
You can now check the status of the service to see if it is working correctly.
$ sudo systemctl status fail2ban ? fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-11-02 21:15:59 UTC; 5s ago Docs: man:fail2ban(1) Process: 19031 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 19032 (f2b/server) Tasks: 3 (limit: 1125) Memory: 11.0M CPU: 96ms CGroup: /system.slice/fail2ban.service ??19032 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start Nov 02 21:15:59 howtoforge-tutorial systemd: Starting Fail2Ban Service... Nov 02 21:15:59 howtoforge-tutorial systemd: Started Fail2Ban Service. Nov 02 21:15:59 howtoforge-tutorial fail2ban-server: Server ready
Fail2Ban service keeps its configuration files in the
/etc/fail2ban directory. You will come across a file
jail.conf in it. This file usually gets overridden during package upgrades so it shouldn’t be edited.
Instead, all configurations should be done in a new file which we will call
jail.local. Settings in these 2 files can be further overridden via files from the
Configurations are applied in the following order:
jail.conf contains a
[DEFAULT] section followed by sections for individual services. Any of these sections can be overridden by defining them in
We will create a fresh
$ sudo nano /etc/fail2ban/jail.local
Paste the following code in it.
[DEFAULT] # Ban hosts for one hour: bantime = 3600 # Override backend=auto in /etc/fail2ban/jail.conf backend = systemd [sshd] enabled = true
Press Ctrl + X to close the editor and press Y when prompted to save the file. This sets a new default
bantime for all services, changes the backend to
systemd and enables the
Restart Fail2ban to implement the new changes.
$ sudo systemctl restart fail2ban
We can confirm the newly applied settings using
$ sudo fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd
We can also get the detailed status of each jail specifically in the following way.
$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
jail.conf provides a lot more settings that can be customised using
/jail.local file. We will go over some settings next.
You can whitelist/ignore IPs from being blocked by Fail2ban using the following code.
[DEFAULT] ignoreip = 127.0.0.1/8 220.127.116.11
If you want to whitelist IPs only for certain jails, you can do so via
$ sudo fail2ban-client set JAIL addignoreip 18.104.22.168
JAIL in the above command with the name of the jail, you want to edit the setting for.
Ban Time and Retry amount
There are 3 settings which can set the time and number of retries for a ban.
bantime – is the length of time in seconds for which an IP is banned. To set a permanent ban, set this value to a negative number. The default value is 10 minutes or 600 seconds.
findtime – is the length of the time between login attempts before a ban is set. This value is always a number of seconds. For example, if Fail2ban is set to ban an IP after 5 failed login attempts, those 5 attempts must occur within the set 10 minute
maxretry – is the number of retries from a single IP address before a ban is imposed. The default value is 3.
To customise these settings, paste the following lines in
etcfail2banjail.local file under the
bantime = 3600 findtime = 300 maxretry = 4
To send email alerts, you will need to install a Mail Transfer Agent(MTA) first. For our purpose, we will install
$ sudo dnf install sendmail
To receive the email, add the following code in
etcfail2banjail.local file under
destemail = [email protected] sendername = Fail2Ban mta = sendmail action = %(action_mw)s
destemail refers to the Destination email Id which is the id where you want to receive the mails at,
sendername refers to the name of the sender so we are using Fail2Ban for it.
mta refers to the Mail Transfer Agent being used which is
sendmail here. If you are using
Postfix, then use the value
action refers to the default action that is taken place once an intrusion is detected. The default value is
%(action_)s which only bans the user.
%(action_mw)s will ban and send an email with a Whois report; while
%(action_mwl)s will ban and send an email with the Whois report along with information from the relevant log files. This can also be changed on a jail-specific basis.
Settings for Individual Jails
As we already know,
[DEFAULT] section applies for all Jails, it is time to look into some specific Jails and their settings.
We have already defined
[sshd] earlier in our
jail.local file. We can customise it a little more by the following code.
[sshd] enabled = true port = ssh logpath = %(ssh_log)s
In this case, we are using a pre-defined variable
ssh for the port which is the default SSH port. If you are using a different SSH port, you should change it.
logpath refers to the location of the log file to monitor.
%(ssh_log)s uses a value defined in Fail2ban’s standard configuration file (
Nginx has several Jails that can be used in Fail2Ban. For example, if a password-protected portion of your site gets attacked repeatedly, you can use a section
jail.local file for that.
[nginx-http-auth] enabled = true
We can also add a section called
[nginx-botsearch] to stop requests to folders or locations that don’t exist.
[nginx-badbots] enabled = true
There are other Nginx jails too but they don’t come pre-configured with Fail2Ban. They need to be created manually and most of them can be based on the Apache ones that Fail2Ban ships with.
Fail2Ban Filters and Failregexs
There is another setting in Fail2Ban configuration called filters. Filters decide whether a line in the log file indicates a failed authentication.
The filter value in the configuration file is a reference to a file located in the
/etc/fail2ban/filter.d directory with its
.conf extension removed.
You can see what kind of filters are available by checking the directory.
$ ls /etc/fail2ban/filter.d
You will see 2 log files for Nginx in it;
These configuration files use Regular expressions(regex) to parse log files. These are called Failregexs. You can customise or create new filters by writing your own regular expressions. We won’t be covering these regular expressions in-depth because they are out of the scope of this tutorial.
Monitor Fail2Ban Logs and Firewall
You can check the status of Fail2Ban by using
systemctl as stated earlier.
$ sudo systemctl status fail2ban
To get a little more detail, you can use the
$ sudo journalctl -b -u fail2ban
You can also use
fail2ban-client to query the status of
fail2ban-server or and individual jail.
$ sudo fail2ban-client status $ sudo fail2ban-client status jail_name
You can also query the Fail2ban’s log file.
$ sudo tail -F /var/log/fail2ban.log
You can list the current rules configured for iptables.
$ sudo iptables -L
You can also list the iptables rules in a format which reflects the commands necessary to enable those rules.
$ sudo iptables -S
This concludes our tutorial on installing and configuring Fail2Ban on a Fedora 33 or CentOS 8 based server. If you have any questions, do post them in the comments below.