Fail2ban crash course

Just install fail2ban and the default settings will keep you protected just fine, after five failed login attempts the ip address of the offending login will be blocked for 10 minutes using iptables.

# apt-get install fail2ban

If you wish to keep tap on what is happening you can always tail the logfile:

# tail -f /var/log/fail2ban.log
... fail2ban.filter         [2374]: INFO    [sshd] Found 10.0.0.2 - 2022-09-14 22:08:01
... fail2ban.filter         [2374]: INFO    [sshd] Found 10.0.0.2 - 2022-09-14 22:08:05
... fail2ban.filter         [2374]: INFO    [sshd] Found 10.0.0.2 - 2022-09-14 22:08:08
... fail2ban.filter         [2374]: INFO    [sshd] Found 10.0.0.2 - 2022-09-14 22:08:16
... fail2ban.filter         [2374]: INFO    [sshd] Found 10.0.0.2 - 2022-09-14 22:08:20
... fail2ban.actions        [2374]: NOTICE  [sshd] Ban 10.0.0.2

Status of fail2ban can be shown with the following command:

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     13
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     2
   `- Banned IP list:   200.111.119.58

Unbanning an ip can be done with this command:

# fail2ban-client set sshd unbanip 196.216.253.24
1

If you wish to ignore one or more addresses create a file /etc/fail2ban/jail.d/whitelist.conf with the following command:

# echo -e '[DEFAULT]\nignoreip = 62.69.153.125' > /etc/fail2ban/jail.d/whitelist.conf

And restart fail2ban:

# systemctl restart fail2ban.service
Dette indlæg blev udgivet i Linux, Security. Bogmærk permalinket.