This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!
Fail2ban scans log files (e.g.
/var/log/httpd/error_log) and bans IPs that show the malicious
signs like too many password failures, seeking for exploits, etc. Generally Fail2ban is then used
to update firewall rules to reject the IP addresses for a specified amount of time, although any
other arbitrary action (e.g. sending an email) could also be configured.
Table of contents¶
jail.conf configurations, it is recommended to install either
gamin (in order of preference) to control how log
file modifications are detected.
Due to the possibility of the
/etc/fail2ban/jail.conf file being overwritten or improved during a
distribution update, it is recommended to create
/etc/fail2ban/jail.local file. E.g.:
# vi /etc/fail2ban/jail.local > [DEFAULT] > > ignoreself = true > ignoreip = 127.0.0.1/8 > > bantime = 7d > findtime = 1d > maxretry = 3
/etc/fail2ban/jail.conffor all possible options)
Now to configure a specific service like
# vi /etc/fail2ban/jail.d/sshd.local > [sshd] > enabled = true > logpath = /var/log/messages > bantime = 1y
Add the fail2ban service to the default start level:
Start fail2ban service:
Print the running jails:
Obtain specific information about each jail, such as the list of currently banned addresses, executed filters, etc:
Unban an IP (e.g. 22.214.171.124) from a jail:
When you think the filters are not working properly, you can use
fail2ban-regex to try them out.
You pass it the log file to check and the filter to run, and it will give back what it found:
If this cheat sheet has been useful to you, then please consider leaving a star here.