Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

December 2024
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories


Prevent brute force attacks using fail2ban

Ástþór IPÁstþór IP

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban

2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log

Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18

3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24

Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart

Comments 5
  • steve
    Posted on

    steve steve

    Author

    How about going a little further and showing how to permanently allow an IP so we will be able to ssh to the box and not lock ourself out?


  • aip
    Posted on

    aip aip

    Author

    Good point steve. I’ve modified the tutorial to show how to do this.


  • Peter
    Posted on

    Peter Peter

    Author

    It’s also quite easy to write your own rules if you’re familiar with Posix regular expressions. This guide ( http://penguinapple.blogspot.com/2010/12/installing-fail2ban-other-step-in.html ) got me started and I wrote a bunch of custom rules to fit my needs.


  • Jeff
    Posted on

    Jeff Jeff

    Author

    You should make those changes in jail.local instead of jail.conf. If you update fail2ban it will overwrite the jail.conf with the risk of locking yourself out if something went wrong, because fail2ban isn’t configured with your ignorelist anymore.


  • Hervé
    Posted on

    Hervé Hervé

    Author

    It is safer to copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and modify the latter.
    By doing this way, you can install new versions of configuration files without losing your changes.