The usual disclaimer applies. Use at your own risk. This post applies to Ubuntu systems but should work on most other distros too. A detailed explanation of fail2ban and its capabilities and functionality is out of scope here, but we suggest you visit the developers’ project home page, which is full of useful information. It has the official manual but also some very useful user generated filters.
This will be obvious to many, but it bears pointing out, don’t edit the default config file of your system tools and apps when you can override some default settings with a custom config file.
Not only does this neatly present you all your customization you made to the apt’s configuration, it also makes updates and upgrades smoother by allowing you to accept the latest default config from the developers without losing your own customized settings.
For fail2ban the default config that defines most of its behavior is in jail.conf.
To override and customize it you use a file named jail.local – configuration settings in the jail.local file will take precedence over the same item in the jail.conf file.
So for a system with ssh access this would be a good start:
sudo vi /etc/fail2ban/jail.local [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 3000 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 400 maxretry = 5 [ssh] enabled = true port = ssh,7022 filter = sshd logpath = /var/log/auth.log maxretry = 4 [ssh-ddos] enabled = true port = ssh,7022 filter = sshd-ddos logpath = /var/log/auth.log maxretry = 4 # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level, will cause infinite loop. [recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 259200 ; 1 day maxretry = 10 ###
You could also define under [DEFAULT] some “safe hosts” that are excluded from getting banned using the command ignoreip = . The command takes for example ipv4 and ipv6 addresses or subnets as input. See the jail.conf file, at around line 89, for a more detailed description of its capabilities.
One final important thing to remember is to turn off repeat message suppression (a.k.a. message condensation) in syslog so fail2ban can correctly spot fast repeat login attempts.
First ensure syslog forwarding is enabled for systemd:
sudo vi /etc/systemd/journald.conf # Edit journald.conf to forward journal logs to syslog ForwardToSyslog=yes
Then complete the three steps below:
- Open /etc/rsyslog.conf
- find RepeatedMsgReduction and change on to off
- After that, restart rsyslog and fail2ban
So last message repeated N times becomes actually N messages
And now you know! Because knowing is half the battle…