The Fail2ban Configuration Process
In this next part of this tutorial, you’ll find a number of examples exploring popular Fail2ban configurations utilizing fail2ban.local
and jail.local
files. Fail2ban will read.conf
configuration files initially before .local
files override any settings.
As a result, any configuration adjustments tend to be performed in .local files while the .conf
files remain unaffected.
How to Configure fail2ban.local
-
fail2ban.conf
carries the default configuration profile, and these standard settings offer a decent working setup. However, if you would prefer to create any edits, you should do this in a separate file (fail2ban.local
). This will overridefail2ban.conf
. Be sure to rename a copyfail2ban.conf
tofail2ban.local
. -
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
-
From this point, you may choose to adjust the definitions located within
fail2ban.local
to align with the configuration you want to set up. You can change the following values:-
loglevel
: You can set the detail level provided by the Fail2ban logs to: 1 (error), 2 (warn), 3 (info), or 4 (debug). -
logtarget
: This will log actions in a defined file (the default value of/var/log/fail2ban.log
adds all logging into it). On the other hand, you could edit the value to: -
socket
: The socket file’s location. -
pidfile
: The PID file’s location.
-
How to Configure the Fail2ban Backend
-
By default, the
jail.conf
file enables Fail2ban for SSH for Debian and Ubuntu, though not for CentOS. Alternative protocols and configurations (such as FTP, HTTP, and so on) will be commented out. You can adjust this if you wish. You’ll need to make ajail.local
for editing: -
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
-
Do you use Fedora or CentOS? You’ll have to switch the backend option in
jail.local
fromauto
tosystemd
. Be aware, though, that this isn’t needed on Debian 8 or Ubuntu 16.04, despite both being capable of using systemd too.
File: /etc/fail2ban/jail.local
-
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
. . .
backend = systemd
Please be aware:
When the backend configuration has been set to auto, Fail2ban will monitor log files by utilizing pyinotify first. After this, Fail2ban will attempt gamin. However, if neither is available, a polling algorithm will choose the next attempt.
By default, there are no jails enabled in CentOS 7. For instance, if you wish to proceed with enabling the SSH daemon jail, you should uncomment these lines in jail.local
:
File: /etc/fail2ban/jail.local
-
[sshd]
enabled = true
How to Configure Fail2ban jail.local
Want to familiarize yourself with the settings available in Fail2ban? Start by opening your jail.local file and locate the configurations available:
File: /etc/fail2ban/jail.local
-
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail = root@localhost
sendername = Fail2Ban
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)...
action_mw = %(banaction)...
protocol="%(protocol)s"...
action_mwl = %(banaction)s...
Let’s consider an example. If you were to switch the usedns setting to no, Fail2ban will not utilize reverse DNS to implement its bans. It will ban the IP address instead. When you set it as warn, Fail2ban will undertake a reverse lookup to find the hostname and utilize that to initiate a ban.
What does the chain setting relate to? The range of iptables rules where jumps can be added in ban-actions. This has been set to the INPUT chain by default. If you want to learn more about iptables chains, feel free to check out our comprehensive What is iptables resource.
How to Configure Fail2ban Chain Traffic Drop
If you want to look at your Fail2ban rules, use the iptables’ –line-numbers option.
iptables -L f2b-sshd -v -n --line-numbers
You should see an output that’s similar:
Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 19 2332 DROP all -- * * 192.0.0.0 0.0.0.0/0
2 16 1704 DROP all -- * * 192.0.0.1 0.0.0.0/0
3 15 980 DROP all -- * * 192.0.0.2 0.0.0.0/0
4 6 360 DROP all -- * * 192.0.0.3 0.0.0.0/0
5 8504 581K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
If you would like to, you may utilize the iptables -D chain rulenum
command to remove a rule that has been applied to a specific IP address. Swap rulenum
with the corresponding IP address rule number found in the num column. For instance, you can remove the IP address 192.0.0.1
by issuing this command:
iptables -D fail2ban-SSH 2
How to Configure Ban Time and Retry Amount Fail2Ban
Set bantime, findtime, and maxretry to configure a ban’s circumstances and the amount of time it lasts:
File: /etc/fail2ban/jail.local
# “bantime” is the number of seconds that a host is banned.
-
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3
-
findtime
: This relates to how much time will pass between login attempts before a ban is implemented. As an example, let’s say Fail2ban is set to ban an IP following four (4) failed log-in attempts. These four attempts must take place during the predefinedfindtime
limit of 10 minutes, and thefindtime
value should be a set number of seconds. -
maxretry
: To determine if a certain ban will be justified, Fail2ban uses findtime and maxretry. Should the amount of attempts be higher than the limit set atmaxretry
and fall within the findtime time limit, Fail2ban will set a band. The default is set at 3. -
bantime
: This applies to the duration of time (in seconds) an IP will be banned for, and this will be permanent if set to a negative number. The default value is 600, which will ban an IP for a period lasting 10 minutes.
How to Configure ignoreip for Fail2ban
You can add specific IPs you wish to ignore by adding them to the ignoreip
line. This won’t ban the localhost by default. Adding the ignore list may be to your benefit if you tend to frequently leverage an individual IP address:
File: /etc/fail2ban/jail.local
-
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 123.45.67.89
ignoreip
: With this setting, you can define which IP addresses are to be excluded from Fail2ban rules. You should add specific IPs you want to ignore to the ignoreip configuration (as per the example). This command doesn’t band the localhost by default. If you regularly work from a single IP address, you may want to add it to the ignore list.
Want to whitelist IPs only for specific jails? Utilize the fail2ban-client command. Just switch JAIL with your jail’s name, and 192.0.0.1 with the IP you intend to be whitelisted.
fail2ban-client set JAIL addignoreip 192.0.0.1
How to Set up Fail2ban Email Alerts
You may want to get email alerts whenever something triggers Fail2ban. You can do this by changing the email settings:
-
destemail
: The address at which you want to get your emails. -
sendername
: The name attributed to the email. -
sender
: The address which Fail2ban sends emails from.
Please be aware:
Run the command sendmail -t [email protected]
, switching [email protected]
with your email address if you’re not what to put under sender
. Look at your email, along with spam folders if required, and check the sender email. You can use that address for the configuration above.
You’re also required to edit the action
setting. This defines the actions undertaken if the band threshold is met. The default, %(action_)s
, will only ban the user. %(action_mw)s
will ban and distribute an email including a WhoIs report. With %(action_mwl)s
, a ban is implemented and an email with the WhoIs report (and any relevant lines in the log file) will be sent. You can also adjust this on a jail-specific basis.
How to Configure Fail2ban banaction and ports
Outside of the above basic settings address, jail.local also has numerous jail configurations for multiple common services (such as iptables and SSH). Just SSH is enabled by default, and the action is to ban the problematic host/IP address through modification of the iptables firewall rules.
Expect the standard jail configuration to look like this:
File: /etc/fail2ban/jail.local
-
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
-
banaction
: This defines the action that should be taken if the threshold is met. When you configure the firewall to use firewalld, set the value tofirewallcmd-ipset
. If you configure the firewall to use UFW, then the value should be set toufw
. -
banaction_allports
: This will block a remote IP in each port. If you configure the firewall to use firewalld, the value should be set tofirewallcmd-ipset
. -
enabled
: Determine if the filter should be activated or not. -
port:
This is the port that Fail2ban should reference in regards to the service. If you utilize the default port, you can put the service name here. But if you opt for a port that’s not traditional, this must be the port number instead. E.g. if you changed your SSH port to 3775, you would replace ssh with that number. -
filter
: This is the name of the file found in/etc/fail2ban/filter.d
containing the failregex information used for parsing log files correctly. You don’t need to include the.conf
suffix. -
logpath
: Provides the service’s logs location. -
maxretry:
This overrides the global maxretry for the service you define. You may also addfindtime
andbantime
. -
action
: You may add this as an extra setting when the default action is inappropriate for the jail. You can find other in theaction.d
folder.
Please be aware:
You may choose to configure jails as individual .conf
files withing the jail.d
directory. But the format will stay the same