Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Questions tagged [fail2ban]
724 questions
122
votes
15 answers
How to show all banned IP with fail2ban?
When I run this command fail2ban-client status sshd I got this:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 81
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 2
|- Total…
Dark Cyber
- 1,329
48
votes
6 answers
Permanent block of IP after n retries using fail2ban
I have a fail2ban configured like below:
block the ip after 3 failed attempts
release the IP after 300 sec timeout
This works perfectly and I want to keep it this way such that a valid user gets a chance to retry the login after the timeout. Now,…
BTR Naidu
- 627
26
votes
6 answers
Sharing of fail2ban banned IPs
I'm using fail2ban on all servers with publicly visible services and I wonder:
Is there an easy way to share banned IPs between hosts I control?
Is there a service out there collecting and publishing that data?
I've been getting countless login…
ndemou
- 1,365
20
votes
13 answers
Stop fail2ban stop/start notifications
If the server is restarted, or even if fail2ban is stopped/start it sends a notification.
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,…
Michael
- 343
13
votes
1 answer
How to test whether fail2ban can really send an email?
I have configured fail2ban but I would like to test sending of email.
For example, I would like that I get email when fail2ban is started or stopped.
user84686
- 281
10
votes
1 answer
How to use so called action variables in fail2ban?
I've seen a few mentions of these in the docs and misc scripts, but nothing concrete on exactly how they are used. Could anyone give me some examples?
Is it just a case of
myvar=7
.
.
.
[ssh]
bantime=%(myvar)s
If so what is the point?
Secondly,…
fpghost
- 693
9
votes
3 answers
fail2ban blocks IP in ignoreip list
I'm using fail2ban and it continues to block an IP even after I have whitelisted that IP.
In /etc/fail2ban/jail.conf there is a line like the following one:
ignoreip = 53.45.114.103
However fail2ban continues to block this IP. See the…
bearrito
- 380
- 3
- 16
7
votes
1 answer
Fail2ban doesn't start
I've done some changes to the file /etc/fail2ban/jail.local (a copy of /etc/fail2ban/jail.conf) and saved, but now fail2ban doesn't start. If I erase jail.local, then it start again. So the problem is in this file (jail.local) but after 2 hours…
user268141
- 85
7
votes
1 answer
How to properly configure fail2ban to ban IP if it is accessing some wrong files
I am trying to configure fail2ban on my test server. I want just to temporary block any script bots that try to probe my site. So everything that has cgi-bin, admin, setup.php and so on. I previously reviewed all that generates 404 errors with…
Salvador Dali
- 965
6
votes
1 answer
What is the purpose of the _daemon directive in fail2ban?
A number of the filters that come with fail2ban have a _daemon directive, but there is no mention of it in the documentation and no reference to it in any of my jail definitions.
What's it for?
Dancrumb
- 273
- 1
- 11
5
votes
1 answer
custom filter for Fail2Ban
I have installed fail2ban and I am trying to get it set up to block IP addresses that appear in a certain message that appears in the syslog. The message in the syslog is:
racoon: ERROR: Invalid exchange type 243 from 103.14.62.181[11950]
Usually…
4
votes
1 answer
Can I use regex in fail2ban logpath?
I am using CETNOS 7,yum install fail2ban,in /etc/fail2ban/jail.local,I want to set:
[DEFAULT]
apache_error_log = /var/log/httpd/*error_log
/home/websites/.*?/log/errorlog
to express:
[DEFAULT]
apache_error_log =…
kittygirl
- 975
4
votes
2 answers
fail2ban does not use DROP blocktype
Using Ubuntu 20.04 LTS, I have this in /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 3600
banaction = iptables
blocktype = drop
[sshd]
enabled = true
protocol = tcp
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry =…
nagylzs
- 809
3
votes
1 answer
How to install fail2ban from source in a custom root location?
Installing from source went fine:
sudo apt-get remove fail2ban
wget https://github.com/fail2ban/fail2ban/archive/0.10.3.tar.gz
mv 0.10.3.tar.gz fail2ban-0.10.3.tar.gz
gzip -d fail2ban-0.10.3.tar.gz
tar -xvf fail2ban-0.10.3.tar
cd…
Stephane
- 227
3
votes
0 answers
Can you change the fail2ban log message?
I have fail2ban running on a centos 6.8 server; all's well. I've written a simple filter to watch for script kiddies, such as:
[Definition]
failregex = .*GET \/admin/config.php
.*GET \/blog\/
.*GET…
Jim Miller
- 723
- 2
- 11
- 23