Ignore IP Addresses in Fail2Ban
Fail2Ban, Security, Sysadmin
Fail2Ban can help protect your Linux server from attack. It’s a Python package that monitors log files and dynamically adjusts firewall rules to block malicious IP addresses.
You can set (or use pre-configured) Python regexes - in Fail2Ban parlance, ‘filters’ - to determine malicious requests. If Fail2Ban detects a particular frequency of the filter regex in a specified log file, an iptables rule is dynamically generated that bans the abusive IP address for a set period of time.
Fail2Ban Config
Fail2Ban can be configured with actions that determine the exact behaviour for a given ‘jail’. In this way, responses to particular actions can be fine-tuned. For example, you could configure Fail2Ban to trigger a ban for the originating IP address:
- After 3 failed SSH login attempts over a 10 minute period
- After a single attempt at user-enumeration - in the context of WordPress, this type of request is almost certainly malicious
- After 6 failed submissions over a five minute period on a public-facing user login form
In Ubuntu 16.04, the main configuration file is /etc/fail2ban/jail.conf
. You should not edit this, as your customisations will be over-written on upgrade. Instead, extend the configuration by either:
- Adding override rules to a
/etc/fail2ban/jail.local
file - Adding config rules on a file-by-file basis in the
/etc/fail2ban/jail.d
directory, with the.conf
suffix
The config files should reference filters - which determine the target regexes. There are a wide range of pre-configured regexes available here: /etc/fail2ban/filter.d
.
Override IP Addresses
Fail2Ban allows you to list IP addresses which should be ignored. This can be useful for testing purposes, and can help avoid locking clients (or yourself) out unecessarily.
To achieve this, just add ignoreip = 127.0.0.1/8 x.x.x.x y.y.y.y
to the relevant action.
Note that if you add a specific IP address to an action, it will override the default value. The child action overwrites the ignoreip rule - it does not merge IP addresses.
Example jail.local
The code below defines actions in a single file. You don’t need to copy across the entire /etc/fail2ban/jail.conf
file - just extend the necessary sections.
References
comments powered by Disqus