Questions tagged [fail2ban]

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

673 questions
277
votes
15 answers

How to Unban an IP properly with Fail2Ban

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly. I know I can work with IPTables directly: iptables -D fail2ban-ssh But is there not a way to do it with the fail2ban-client? In the manuals it states something…
psp
  • 3,033
  • 3
  • 14
  • 14
100
votes
13 answers

How to show all banned IP with fail2ban?

When I run this command fail2ban-client status sshd I got this: Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 81 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 2 |- Total…
Dark Cyber
  • 1,109
  • 2
  • 8
  • 6
65
votes
11 answers

Denyhosts vs fail2ban vs iptables- best way to prevent brute force logons?

I'm setting up a LAMP server and need to prevent SSH/FTP/etc. brute-force logon attempts from succeeding. I've seen many recommendations for both denyhosts and fail2ban, but few comparisons of the two. I also read that an IPTables rule can fill the…
spiffytech
  • 1,043
  • 2
  • 11
  • 16
48
votes
6 answers

Permanent block of IP after n retries using fail2ban

I have a fail2ban configured like below: block the ip after 3 failed attempts release the IP after 300 sec timeout This works perfectly and I want to keep it this way such that a valid user gets a chance to retry the login after the timeout. Now,…
BTR Naidu
  • 627
  • 1
  • 6
  • 13
33
votes
5 answers

In Fail2Ban, How to Change the SSH port number?

In my server, the ssh port is not the standard 22. I have set a different one. If I setup fail2ban, will it be able to detect that port? How can I tell it to check that port rather than port 22? The output of iptables -L -v -n: Chain fail2ban-ssh…
THpubs
  • 1,615
  • 7
  • 26
  • 43
31
votes
1 answer

Fail2ban jail.local vs jail.conf

Does jail.local file act as an override to jail.conf or as a replacement to jail.conf? When I was learning about Fail2Ban from tutorials, most of them usually say either to copy jail.conf to jail.local and make the edits there and some of them says…
Neel
  • 1,421
  • 7
  • 21
  • 35
30
votes
1 answer

How to set up fail2ban to read multi log in a jail?

How can I configure multiple logpaths for the same rule? I'm trying to write a syntax like this: [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports logpath = /var/log/apache*/*error.log logpath =…
Max121
  • 323
  • 1
  • 3
  • 6
28
votes
4 answers

fail2ban's database is too large (over 500mb). How do I get it to a reasonable size?

Recently my backups have started failing, and I tracked the problem to the file /var/lib/fail2ban/fail2ban.sqlite3. It is over 500mb. I am not sure whether it has been growing over time or if this is a recent development. How can I get it to a…
felwithe
  • 826
  • 1
  • 9
  • 14
24
votes
6 answers

Sharing of fail2ban banned IPs

I'm using fail2ban on all servers with publicly visible services and I wonder: Is there an easy way to share banned IPs between hosts I control? Is there a service out there collecting and publishing that data? I've been getting countless login…
ndemou
  • 1,215
  • 2
  • 16
  • 27
22
votes
11 answers

Fail2Ban: already banned?

I have Fail2Ban running on my Centos Server. (Config below) In my var/log/messages I noticed something really weird: Jun 19 12:09:32 localhost fail2ban.actions: INFO [postfix] 114.43.245.205 already banned I configured Fail2Ban to add the banned…
3und80
  • 323
  • 1
  • 2
  • 5
19
votes
13 answers

Stop fail2ban stop/start notifications

If the server is restarted, or even if fail2ban is stopped/start it sends a notification. [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK,…
Michael
  • 333
  • 2
  • 3
  • 7
16
votes
3 answers

Banning IPv6 addresses

I am currently accustomed to using tools like fail2ban to keep unwanted traffic away from my servers by banning IPv4 addresses: too many bad log entries per IP, ban the IP. However when the world completes the migration to IPv6, banning single…
Mikko Ohtamaa
  • 1,364
  • 3
  • 17
  • 28
15
votes
6 answers

Modify fail2ban failregex to match failed public key authentications via ssh

fail2ban doesn't recognize failed public key ssh logins and I assume that this can be solved by modifying the failregex of /etc/fail2ban/filter.d/sshd.config to match the following line:
apoc
  • 253
  • 1
  • 2
  • 5
15
votes
3 answers

How do I setup monitoring of MySQL with Fail2ban?

Searching the internet with search engines on MySQL and fail2ban yields lots of results on putting your fail2ban logs into MySQL, however I'm wanting to monitor failed MySQL attempts to log in and ban those IP's. My application requires that I keep…
InvisibleFrisbee
  • 363
  • 1
  • 3
  • 8
15
votes
5 answers

Is it worth the effort to block failed login attempts

Is it worthwhile running fail2ban, sshdfilter or similar tools, which blacklist IP addresses which attempt and fail to login? I've seen it argued that this is security theatre on a "properly secured" server. However, I feel that it probably makes…
dunxd
  • 9,482
  • 21
  • 80
  • 117
1
2 3
44 45