Block Network Probes using Fail2Ban

Requirements for fail2ban

  • Debian/Ubuntu or CentOS installed Linux Server
  • Fail2Ban installation on a server

Configure Fail2Ban

As it is made clear in installation instructions of Fail2Ban, you have to make a local copy of the configuration file and set all our custom changes in the configuration file.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
SSH is monitored by default by Fail2Ban. Code which takes part in SSH monitoring in fail2Ban is in the jail.local file look like the sample code below:

  • Ubuntu/Debian:


enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

  • CentOS:


enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/secure
maxretry = 5

In order to enable the monitoring for any other service, you need to change the “enabled” option to “true”. You will also need to configure the other options correctly, since fail2ban blocking is based on the information gathered from the specific service’s log.

Basic explanation of the options for every service in the jail.conf/jail.local file:

  • enabled – if set to true, the monitoring for this service is enabled.
  • filter – this is the file in /etc/fail2ban/filters.d/ which will be read for the specific server. For SSH the file is /etc/fail2ban/filters.d/sshd.conf. It contains the rules that are being followed in the sshd log. For example, the login failure via SSH looks like this in the secure log:

Failed password for root from port 12721 ssh2
The filter has rules based on regular expressions matching:
Failed .* for .* from port \d.*
Once there are more failed attempts from the same that the allowed ones, it gets blocked.

– action – this specifies the file which contains the action rules (the rules which define what actions should be taken in a specific situation). In our case the file is /etc/fail2ban/action.d/iptables.conf.

– logpath – this is the path to the log that will be monitored. It is very important to set the correct path, otherwise our Fail2Ban won’t be working properly.

– maxretry – this value defines what will be the maximum count of failed attempts before an IP gets blocked.

Sample configuration

In this tutorial we will provide an example for configuring an additional monitor, other than the already enabled SSH one. We will configure Fail2Ban to monitor for FTP login failures and block the IPs that they are coming from.

For that purpose we have installed and configured ProFTPD on our server

Open the jail.local file with a text editor:
vim /etc/fail2ban/jail.local
Locate the part that is responsible for proFTPD service:

  • For CentOS:

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

  • For Ubuntu/Debian:

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
We will need to set the following option for all distributions:
enable = true

  • For CentOS:

We need to change the log path, because by default the login information from FTP can be found in /var/log/secure:

  • For Ubuntu/Debian:

We will leave the logpath as it is, since on these two distributions the proftpd creates the log file and writes to it.

– maxretry – This is custom option and depends on your preference.

Save the file and quit the text editor. We will need to restart the fail2ban service after the changes we have made:
/etc/init.d/fail2ban restart
Our changes should take effect after the restart and our additional service will be monitored.

Managing Fail2Ban

In order to manage Fail2ban easily, we will provide some basic commands that can be used to perform an action or view some information.

– fail2ban-client status – the command provides information about the active Jails. In this context Jail means “service which is monitored by fail2ban”. Sample output of the command can be found below:
|- Number of jail: 2
`- Jail list: proftpd, ssh
In this case, we have 2 active Jails: proftpd and ssh. This is a useful command if you need to know the Jail name or, for example, which are the active jails.

fail2ban-client set JAIL_NAME banip IP_ADDRESS – the command can be used to manually ban an IP address. For example:
fail2ban-client set proftpd banip 111.222.333.444
This command will restrict the access of IP 111.222.333.444 to the FTP port of your server.

fail2ban-client set JAIL_NAME unbanip IP_ADDRESS – the command is used to manually unban an IP address. There is a default time set in the Fail2Ban configuration after which the IP addresses are unblocked automatically. However, if you want to unblock an IP before this is done automatically, you can do it with this command. Example:
fail2ban-client set proftpd unbanip
This will unblock the IP from your server and it will have access to the FTP port again.

fail2ban-client -h – This is the “help” command which will provide information about all available fail2ban -client comments

Alternative way to manage Fail2Ban

You can manage blocking and unblocking of IPs manually using the iptables service of your server. However, make sure that you restart the fail2ban service after every change you make in the firewall to avoid any issues. If you block/unblock an IP directly from iptables, fail2ban will not aware of that. This can cause some issues, especially when you unblock IPs manually. In this case fail2ban will still consider the IP as blocked, and won’t block it again.

Once an IP is blocked by fail2ban, the rule added in the iptables looks like that:
iptables -nL

Chain fail2ban-ProFTPD (1 references)
target prot opt source destination
REJECT all — reject-with icmp-port-unreachable
RETURN all —
To unblock an IP, you can use the following command:
In our case the command will be:
iptables -D fail2ban-ProFTPD -s -j REJECT
After we execute it, we need to save and restart the iptables:

– For CentOS:
/etc/init.d/iptables save

/etc/init.d/iptables restart
– For Ubuntu/Debian
And finally, restart the fail2ban service:
/etc/init.d/fail2ban restart

Was this post helpful?

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.