Fail2ban Cheat Sheet for Sysadmins
Fail2ban is a critical tool for safeguarding servers against brute-force attacks by monitoring logs and banning malicious IPs. This cheat sheet provides the most important concepts and commands for managing Fail2ban effectively.
1. Core Concepts
- Jail: A Fail2ban unit that defines which logs to monitor, filter rules, and actions (e.g., banning an IP). Example: SSH protection with
sshd. - Filter: A regex-based rule set to identify bad behavior in logs.
- Action: The response triggered by Fail2ban (e.g., banning an IP using
iptables). - Ban Time: How long IPs stay banned (seconds).
- Max Retry: Maximum failed login attempts before banning an IP.
2. Service Management
Start Fail2ban service:
sudo systemctl start fail2ban
Stop Fail2ban service:
sudo systemctl stop fail2ban
Restart Fail2ban service (for major configuration changes):
sudo systemctl restart fail2ban
Reload Fail2ban service (for minor configuration changes):
sudo fail2ban-client reload
Enable Fail2ban at startup:
sudo systemctl enable fail2ban
Check Fail2ban service status:
sudo systemctl status fail2ban
3. Reload vs Restart
| Action | When to Use | Impact |
|---|---|---|
fail2ban-client reload |
Use for minor configuration changes like adjusting bantime, maxretry, or adding new jails. |
Reloads the active configuration without disrupting bans. Active jails remain functional. |
systemctl restart fail2ban |
Use for major changes, like adjustments in /etc/fail2ban/fail2ban.conf, or when changing Fail2ban actions. |
Fully restarts Fail2ban, reinitializing all settings and clearing current ban lists. |
Best Practice: Begin with reload. If changes are not applied or functional issues occur, use restart.
4. Key Configuration Files
- Main Configuration:
/etc/fail2ban/fail2ban.conf - Jail Configuration:
/etc/fail2ban/jail.confor/etc/fail2ban/jail.local(usejail.localfor custom settings to avoid overwrites during updates). - Log File:
/var/log/fail2ban.log
5. Managing Jails
View active jails:
sudo fail2ban-client status
Get detailed status of a specific jail:
sudo fail2ban-client status <jail_name>
Ban an IP manually in a jail:
sudo fail2ban-client set <jail_name> banip <IP_address>
Unban an IP from a jail:
sudo fail2ban-client set <jail_name> unbanip <IP_address>
Unban all IPs from a specific jail:
sudo fail2ban-client set <jail_name> unban --all
6. Sample Jail Configuration
Customize /etc/fail2ban/jail.local to protect SSH:
[DEFAULT]
# Defaults for all jails
ignoreip = 127.0.0.1/8 192.168.1.0/24 # Whitelist specific IPs or ranges
bantime = 3600 # 1 hour ban duration
findtime = 600 # Time window to detect multiple failed attempts
maxretry = 3 # Max failed attempts before banning
backend = auto # Log backend, usually auto-detected
[sshd]
enabled = true # Enable the SSH jail
port = ssh # Override port if not default
logpath = /var/log/auth.log # Path to SSH authentication log
filter = sshd # Use the SSH filter for matching logs
After editing:
# Reload Fail2ban to apply changes
sudo fail2ban-client reload
7. Analyzing Logs
Monitor Fail2ban activity:
sudo tail -f /var/log/fail2ban.log
Find banned IPs in the logs:
grep 'Ban' /var/log/fail2ban.log
8. Create a Custom Jail
To protect Apache from login-related brute-force attacks:
-
Add this to
/etc/fail2ban/jail.local:ini [apache-auth] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/error.log maxretry = 3 bantime = 3600 -
Create the filter
/etc/fail2ban/filter.d/apache-auth.conf:ini [Definition] failregex = .*client <HOST>.*authorization failed.* ignoreregex = -
Reload Fail2ban to apply:
bash sudo fail2ban-client reload -
Test the custom filter:
bash sudo fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
9. Debugging
Check configuration syntax:
sudo fail2ban-client -d
View system logs for Fail2ban:
journalctl -u fail2ban
10. Persistent Bans Across Restarts
If you want bans to persist after Fail2ban is restarted:
-
Enable persistent bans in
/etc/fail2ban/jail.local:ini [DEFAULT] dbfile = /var/lib/fail2ban/fail2ban.sqlite3 -
Restart Fail2ban:
bash sudo systemctl restart fail2ban
11. iptables Integration
To view the iptables rules created by Fail2ban:
sudo iptables -L -n
To remove or flush all Fail2ban-related rules:
sudo iptables -F
12. Security Best Practices
- Always whitelist critical IPs using
ignoreipto prevent accidental bans. - Customize
jail.localfor site-specific setups (avoid editingjail.conf). - Regularly monitor
/var/log/fail2ban.logfor suspicious activity or misconfigurations. - Periodically test your filters using:
sudo fail2ban-regex <logfile> <filter_file>. - Enable email alerts for ban events by customizing the
actionparameter in your jails.
Fail2ban is a powerful tool to lock down your system against brute-force attacks. Regularly monitor logs, refine filters, and keep configs well-maintained for optimal performance and security.
Featured Merch
Latest Posts
- Build Mental Resilience: A 30-Day Challenge Inspired by Science
- Setting Up Google Drive Backups on Ubuntu with rclone
- Protecting Your Email Server: SASL Authentication and fail2ban Defense
- The Centenarian Decathlon: A Practical Guide to Thriving into Your 90s and Beyond
Featured Book
Subscribe to RSS Feed
Published by Ramiro Gómez on . Subscribe to the Geeksta RSS feed to be informed about new posts.
Tags: sysadmin cheat sheet fail2ban
Disclosure: External links on this website may contain affiliate IDs, which means that I earn a commission if you make a purchase using these links. This allows me to offer hopefully valuable content for free while keeping this website sustainable. For more information, please see the disclosure section on the about page.
