Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [fail2ban]

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

673 questions
14
votes
2 answers

Fail2Ban Correctly Attempts to Ban IP but IP does not get banned - iptables chain exists but not working

Running on Ubuntu 14.04 Server. So I have fail2ban correctly configured to process /var/log/auth.log for SSH login attempts. Upon 3 failed attempts I see this in the fail2ban log: 2014-11-19 15:22:56,822 fail2ban.actions: WARNING [ssh] Ban…
Halsafar
  • 251
  • 1
  • 2
  • 8
13
votes
3 answers

Installing from EPEL on Amazon EC2

I am trying to install fail2ban on our Amazon EC2 Linux AMI (CentOS). I know that fail2ban is in the EPEL so I have done the following: wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo rpm -Uvh…
williamsdb
  • 483
  • 1
  • 7
  • 17
13
votes
2 answers

Fail2Ban unblock ipaddress

I am trying to unblock an IP address without restarting Fail2Ban each time, what is the best way of doing this? Or can you point me in the direction of a useful guide? As you can see below the IP address I am trying to remove is: 89.31.259.161 #…
John Magnolia
  • 1,613
  • 6
  • 27
  • 44
12
votes
3 answers

Fail2ban log filled with entries saying "fail2ban.filter : WARNING Determined IP using DNS Lookup:.."

My fail2ban log at /var/log/fail2ban.log is completely filled with entries saying: fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address] I think this may have begun after I changed my ssh port... Any idea what the cause of this is…
Dirk Calloway
  • 252
  • 1
  • 2
  • 9
12
votes
1 answer

How to test whether fail2ban can really send an email?

I have configured fail2ban but I would like to test sending of email. For example, I would like that I get email when fail2ban is started or stopped.
user84686
  • 271
  • 2
  • 3
  • 7
11
votes
1 answer

Fail2Ban blocking behaviours depending on the status code

I am using Fail2Ban and I have configured it as needed. This is reading logs from nginx/error.log and is acting depending on configs about maxretry and timing sets. The question is that is this possible to have different rules depending on status…
Parsa Samet
  • 217
  • 1
  • 3
  • 8
11
votes
2 answers

Why is fail2ban not banning this attack?

I have fail2ban installed to ban bruteforce attempts on the ssh password. There are business requirements for not disabling password authentication on this machine. fail2ban was installed using the same chef cookbook that effectively bans ssh…
Leo
  • 973
  • 6
  • 21
  • 38
11
votes
3 answers

Why is iptables not blocking an ip address?

I have configured fail2ban to monitor a certain pattern of malicious traffic I'm getting and ban IP addresses associated. Everything seems to be working great -- the regex is matching the pattern appropriately and the problem IP address is getting…
jsdalton
  • 213
  • 1
  • 2
  • 6
11
votes
3 answers

Does fail2ban monitor rotated log files?

Does fail2ban continue to monitor rotated log files? For example, I have a rule monitoring /var/log/fail2ban.log which is automatically rotated by the system every week (7 days). I want to have a rule that monitors for banned IPs in that log to…
J. Chin
  • 595
  • 5
  • 9
11
votes
5 answers

is fail2ban safe? Better to use ssh keys?

I'm in doubt if I should use key authentication when logging into SSH, or just go for fail2ban + ssh (root login disabled). Is fail2ban safe or is it really better to just go ahead and generate keys and config that on all my client machines that…
solsol
  • 1,121
  • 8
  • 21
  • 31
10
votes
3 answers

Securing linux servers: iptables vs fail2ban

I would like to pick the community's brain regarding linux server security, specifically regarding brute-force attacks and using fail2ban vs custom iptables. There are a few similar questions out there but none of them address the topic to my…
kingmilo
  • 211
  • 2
  • 7
10
votes
1 answer

How to use so called action variables in fail2ban?

I've seen a few mentions of these in the docs and misc scripts, but nothing concrete on exactly how they are used. Could anyone give me some examples? Is it just a case of myvar=7 . . . [ssh] bantime=%(myvar)s If so what is the point? Secondly,…
fpghost
  • 663
  • 1
  • 10
  • 22
10
votes
2 answers

How to *add* rules in local fail2ban filter definition?

I have installed fail2ban as packaged by Debian on a server under my control. Since I have some failregexes from before, I'm putting those into the local filter definition file so they will be considered as well. Hence, I end up with e.g.…
user
  • 4,267
  • 4
  • 32
  • 70
10
votes
2 answers

Custom fail2ban Filter for phpMyadmin bruteforce attempts

In my quest to block excessive failed phpMyAdmin login attempts with fail2ban, I've created a script that logs said failed attempts to a file: /var/log/phpmyadmin_auth.log Custom log The format of the /var/log/phpmyadmin_auth.log file…
Michael Robinson
  • 418
  • 2
  • 7
  • 19
10
votes
4 answers

How to block all root login attempts using denyhosts and or fail2ban?

I currently block all ssh logins using root. But I wanted to go the extra mile and block the ip address of the client who tried to login as root. I currently have denyhosts and fail2ban setup and working, can I use denyhosts and or fail2ban to block…
samwell
  • 339
  • 1
  • 6
  • 13
1
2
3
44 45