Fail2Ban can help protect your Linux server from attack. It’s a Python package that monitors log files and dynamically adjusts firewall rules to block malicious IP addresses.
You can set (or use pre-configured) Python regexes - in Fail2Ban parlance, ‘filters’ - to determine malicious requests. If Fail2Ban detects a particular frequency of the filter regex in a specified log file, an iptables rule is dynamically generated that bans the abusive IP address for a set period of time.
Fail2Ban can be configured with actions that determine the exact behaviour for a given ‘jail’. In this way, responses to particular actions can be fine-tuned. For example, you could configure Fail2Ban to trigger a ban for the originating IP address:
- After 3 failed SSH login attempts over a 10 minute period
- After a single attempt at user-enumeration - in the context of WordPress, this type of request is almost certainly malicious
- After 6 failed submissions over a five minute period on a public-facing user login form
In Ubuntu 16.04, the main configuration file is
/etc/fail2ban/jail.conf. You should not edit this, as your customisations will be over-written on upgrade. Instead, extend the configuration by either:
- Adding override rules to a
- Adding config rules on a file-by-file basis in the
/etc/fail2ban/jail.ddirectory, with the
The config files should reference filters - which determine the target regexes. There are a wide range of pre-configured regexes available here:
Override IP Addresses
Fail2Ban allows you to list IP addresses which should be ignored. This can be useful for testing purposes, and can help avoid locking clients (or yourself) out unecessarily.
To achieve this, just add
ignoreip = 127.0.0.1/8 x.x.x.x y.y.y.y to the relevant action.
Note that if you add a specific IP address to an action, it will override the default value. The child action overwrites the ignoreip rule - it does not merge IP addresses.
The code below defines actions in a single file. You don’t need to copy across the entire
/etc/fail2ban/jail.conf file - just extend the necessary sections.
comments powered by Disqus