Dev Notes

Various Cheat Sheets and Resources by David Egan/Carawebs.

Ignore IP Addresses in Fail2Ban

Fail2Ban, Security, Sysadmin
David Egan

Fail2Ban can help protect your Linux server from attack. It’s a Python package that monitors log files and dynamically adjusts firewall rules to block malicious IP addresses.

You can set (or use pre-configured) Python regexes - in Fail2Ban parlance, ‘filters’ - to determine malicious requests. If Fail2Ban detects a particular frequency of the filter regex in a specified log file, an iptables rule is dynamically generated that bans the abusive IP address for a set period of time.

Fail2Ban Config

Fail2Ban can be configured with actions that determine the exact behaviour for a given ‘jail’. In this way, responses to particular actions can be fine-tuned. For example, you could configure Fail2Ban to trigger a ban for the originating IP address:

  • After 3 failed SSH login attempts over a 10 minute period
  • After a single attempt at user-enumeration - in the context of WordPress, this type of request is almost certainly malicious
  • After 6 failed submissions over a five minute period on a public-facing user login form

In Ubuntu 16.04, the main configuration file is /etc/fail2ban/jail.conf. You should not edit this, as your customisations will be over-written on upgrade. Instead, extend the configuration by either:

  • Adding override rules to a /etc/fail2ban/jail.local file
  • Adding config rules on a file-by-file basis in the /etc/fail2ban/jail.d directory, with the .conf suffix

The config files should reference filters - which determine the target regexes. There are a wide range of pre-configured regexes available here: /etc/fail2ban/filter.d.

Override IP Addresses

Fail2Ban allows you to list IP addresses which should be ignored. This can be useful for testing purposes, and can help avoid locking clients (or yourself) out unecessarily.

To achieve this, just add ignoreip = x.x.x.x y.y.y.y to the relevant action.

Note that if you add a specific IP address to an action, it will override the default value. The child action overwrites the ignoreip rule - it does not merge IP addresses.

Example jail.local

The code below defines actions in a single file. You don’t need to copy across the entire /etc/fail2ban/jail.conf file - just extend the necessary sections.

# File: /etc/fail2ban/jail.local

# Fail2ban overrides
# These rules override `/etc/fail2ban/jail.conf`.
# =============================================================

# Ban bad hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
# Emails
destemail =
sendername = Fail2Ban_Archimedes
mta = mail
# Action
action = %(action_mwl)s
# List of safe IP addresses
ignoreip = x.x.x.x

# ============================================================
# Jails Enabled
# ============================================================

# sshd jail is already enabled by default, so this isn't strictly necessary
enabled = true
bantime  = 36000
# Override the default value - overwrites, does not merge
ignoreip = x.x.x.x y.y.y.y

enabled  = true
port     = 9999
# Use a pre-configured filter
filter   = sshd
bantime  = 36000
logpath  = /var/log/auth.log
maxretry = 6
ignoreip = x.x.x.x y.y.y.y

# For WordPress jails, you need to configure WordPress to write to the specified log.
# You also need to create appropriate filters e.g. `/etc/fail2ban/filter.d/wordpress-hard.conf`.

# This jails IP addresses that are certainly malicious (e.g. trying to enumerate users)
enabled = true
filter = wordpress-hard
bantime  = 36000
logpath = /var/log/auth.log
maxretry = 1
port = http,https

# Softer jail - allows users to retry their logins
enabled = true
filter = wordpress-soft
bantime  = 36000
logpath = /var/log/auth.log
maxretry = 3
port = http,https


comments powered by Disqus