fail2ban install notes
apt update
apt install fail2ban
Once installation is completed, the fail2ban service will start automatically. Verify with:
root@gemini:/home/kevin# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-06-03 11:34:32 BST; 4min 7s ago Docs: man:fail2ban(1) Main PID: 543825 (f2b/server) Tasks: 5 (limit: 2280) Memory: 14.9M CGroup: /system.slice/fail2ban.service └─543825 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jun 03 11:34:32 gemini systemd[1]: Starting Fail2Ban Service... Jun 03 11:34:32 gemini systemd[1]: Started Fail2Ban Service. Jun 03 11:34:32 gemini fail2ban-server[543825]: Server ready root@gemini:/home/kevin#
The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.
fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:
/etc/fail2ban/jail.conf /etc/fail2ban/jail.d/*.conf /etc/fail2ban/jail.local /etc/fail2ban/jail.d/*.local
Easiest way to configure fail2ban is to copy the jail.conf to jail.local and modify the .local file.
You can also build a .local configuration file from scratch.
The .local file doesn’t have to include all settings from the corresponding .conf file, only the settings you want to override.
You can always refer /etc/fail2ban/jail.conf to check the default values of the standard services supported by fail2ban.
Create a .local config file from the default jail.conf file:
cp /etc/fail2ban/jail.{conf,local}
root@gemini:/home/kevin# cp /etc/fail2ban/jail.{conf,local}
root@gemini:/home/kevin# nano /etc/fail2ban/jail.local
config as follows:
root@gemini:/etc/fail2ban# cat fail2ban.local # Basic Configuration [DEFAULT] loglevel = INFO logtarget = /var/log/fail2ban.log root@gemini:/etc/fail2ban# root@gemini:/etc/fail2ban# rm jail.local root@gemini:/etc/fail2ban# nano jail.local root@gemini:/etc/fail2ban#
config as follows: root@gemini:/etc/fail2ban# cat jail.local # Basic Configuration [DEFAULT] bantime = 1800 findtime = 600 maxretry = 3 backend = systemd root@gemini:/etc/fail2ban#
then restart:
root@gemini:/etc/fail2ban# root@gemini:/etc/fail2ban# systemctl restart fail2ban root@gemini:/etc/fail2ban# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-06-03 11:46:52 BST; 4s ago Docs: man:fail2ban(1) Process: 545164 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 545178 (f2b/server) Tasks: 5 (limit: 2280) Memory: 76.0M CGroup: /system.slice/fail2ban.service └─545178 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jun 03 11:46:52 gemini systemd[1]: Starting Fail2Ban Service... Jun 03 11:46:52 gemini systemd[1]: Started Fail2Ban Service. Jun 03 11:46:52 gemini fail2ban-server[545178]: Server ready root@gemini:/etc/fail2ban#
To see which addresses fail2ban (f2b) has blocked or rejected you can check the fail2ban log:
tail -f /var/log/fail2ban.log root@gemini:~# tail -f /var/log/fail2ban.log 2021-06-03 11:50:48,748 fail2ban.actions [545178]: NOTICE [sshd] Ban 106.12.75.10 2021-06-03 11:50:49,885 fail2ban.filter [545178]: INFO [sshd] Found 106.12.75.10 - 2021-06-03 11:50:49 2021-06-03 11:50:49,886 fail2ban.filter [545178]: INFO [sshd] Found 81.69.192.217 - 2021-06-03 11:50:49 2021-06-03 11:50:59,385 fail2ban.filter [545178]: INFO [sshd] Found 113.31.125.11 - 2021-06-03 11:50:58 2021-06-03 11:50:59,390 fail2ban.actions [545178]: NOTICE [sshd] Ban 113.31.125.11 2021-06-03 11:51:01,592 fail2ban.filter [545178]: INFO [sshd] Found 113.31.125.11 - 2021-06-03 11:51:01 2021-06-03 11:51:47,135 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:46 2021-06-03 11:51:50,385 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:49 2021-06-03 11:51:52,590 fail2ban.filter [545178]: INFO [sshd] Found 62.14.232.3 - 2021-06-03 11:51:52 2021-06-03 11:51:52,682 fail2ban.actions [545178]: NOTICE [sshd] Ban 62.14.232.3
alternatively use iptables -L for the current state of the firewall:
long list follows!
only selected extracts displayed here for security reasons…
root@gemini:/etc/fail2ban# iptables -L Chain INPUT (policy DROP) target prot opt source destination .... ... ... Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere anywhere ... .... ... Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ... ... ... Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 68.183.84.221 anywhere reject-with icmp-port-unreachable REJECT all -- 139.59.39.185 anywhere reject-with icmp-port-unreachable REJECT all -- 193.122.111.58 anywhere reject-with icmp-port-unreachable REJECT all -- produccion.nitrowin.com-1508949338069-2gb-nyc1-01 anywhere reject-with icmp-port-unreachable REJECT all -- 139.155.255.231 anywhere reject-with icmp-port-unreachable REJECT all -- 49.232.221.113 anywhere reject-with icmp-port-unreachable REJECT all -- 129.204.202.109 anywhere reject-with icmp-port-unreachable REJECT all -- 187.114.200.35.bc.googleusercontent.com anywhere reject-with icmp-port-unreachable REJECT all -- no-data anywhere reject-with icmp-port-unreachable REJECT all -- 102.36.164.141 anywhere reject-with icmp-port-unreachable REJECT all -- 120.48.29.61 anywhere reject-with icmp-port-unreachable REJECT all -- 161.35.235.27 anywhere reject-with icmp-port-unreachable REJECT all -- 139.59.26.6 anywhere reject-with icmp-port-unreachable REJECT all -- 129.28.169.194 anywhere reject-with icmp-port-unreachable REJECT all -- 40.87.131.147 anywhere reject-with icmp-port-unreachable REJECT all -- 213.230.107.202 anywhere reject-with icmp-port-unreachable RETURN destination ... other tables not displayed here for security reasons ... ... ...