Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [fail2ban]

anti-bruteforcing daemon that works on connection attempts to services such as SSH

fail2ban is a utility that can be used to help enforce the security of services like SSH daemons. Essentially, fail2ban monitors e.g. incoming SSH connections and if there are too many from a certain IP address, fail2ban will start dropping connection requests from that IP. This is useful because oftentimes, an attacker will repeatedly connect to an SSH daemon and attempt to guess the password by simply trying every password possible (this is called bruteforcing). fail2ban makes this much harder, because a potential attacker will only have a limited number of guesses before his or her IP address is banned.

fail2ban can work on a number of services. The most common service to use fail2ban for is SSH, but it can also work on other network daemons, like Apache.

Internally, fail2ban relies on iptables to look at network traffic. fail2ban can usually be installed with the fail2ban package on major distributions.

136 questions
37
votes
11 answers

Delete all fail2ban bans in Ubuntu Linux

How can I delete all fail2ban bans in Ubuntu? I tried everything but I don't get it. I just want to delete all bans - but I don't know any IP adresses.
Patrick
  • 491
  • 1
  • 4
  • 3
15
votes
4 answers

How to configure fail2ban with systemd journal?

I've install fail2ban on Debian Jessie LXC container, currently it's failing due to: Starting authentication failure monitor: fail2ban ERROR No file(s) found for glob /var/log/auth.log ERROR Failed during configuration: Have not found any log file…
Tombart
  • 2,630
  • 5
  • 26
  • 39
15
votes
1 answer

Installing fail2ban on CentOS 7

I am using @GarethTheRed 's answer to this question to install fail2ban on a remote CentOS 7 server. I am able to complete all the steps up until tail -f /var/log/fail2ban.log, at which point I get different results than he gets in his answer. …
CodeMed
  • 5,079
  • 45
  • 100
  • 147
9
votes
1 answer

Large fail2ban database, normal?

The fail2ban database on my server is quite large (420MB). The fail2ban log is quite busy (there is a "filter" entry every two seconds) but iptables shows only a few banned addresses. dbpurgeage is 86400 seconds (24hours) Is this size coherent with…
xenoid
  • 8,648
  • 1
  • 24
  • 47
8
votes
2 answers

creating an alternate jail in fail2ban for manual banning

I have a fail2ban instance that works well. But I also like to occasionally examine the logs manually and try to ID system probes that are working around my standard f2b definitions. What I'm looking for is how I can define a jail that will last an…
Trent Three
  • 321
  • 3
  • 4
8
votes
1 answer

Ignore a specific ip for fail2ban

I am using fail2ban with ipfw on FreeBSD. Is there a way to ignore a specific ip address, making sure that fail2ban never blocks or reports it?
Peter Smit
  • 1,154
  • 4
  • 18
  • 32
8
votes
2 answers

How does fail2ban detect the time of an intrusion attempt if the log files don't have timestamp?

I know how to user fail2ban and how to configure a jail, but I'm not comfortable about how it actually works. The thing is, there's a particular jail option that pique my curiosity: findtime. When I configure a filter, it is necessary to use the…
Gui-Don
  • 203
  • 2
  • 7
7
votes
1 answer

Fail2ban-Regex test always tells no host in group

I'm trying to build a filter myself using regex. This is a line i want to filter for example: Aug 30 11:07:38 *** postfix/smtpd[17969]: connect from vps10685425.123-vps.co.uk[46.32.239.160] An this is my RegEx…
mike.b93
  • 293
  • 2
  • 4
  • 11
7
votes
6 answers

How can I teach fail2ban to detect and block attacks from a whole network block?

I have correctly installed fail2ban in my machine, activating the rules for ssh, ssh-dos and recidive; it all works ok. Lately, I have seen an increasing patterns of repetitive attacks from different hosts form the same networks, which circumvent…
Rmano
  • 3,335
  • 5
  • 21
  • 36
6
votes
5 answers

Memory consumption Fail2Ban CentOS

Fail2Ban is using a huge amount of memory on my system (1.2 GB). There are several articles which describe how to reduce it. Below is an example for Debian. append the 1ulimit1 command to /etc/default/fail2ban file. Add (to the file) on last…
Il Quadrifoglio
  • 141
  • 2
  • 8
5
votes
1 answer

How does fail2ban protect against DDoS?

How does fail2ban protect against SSH DDoS attacks? What does it do in the case of a DDoS attack? And how does it determine if it is a DDoS? I am asking only about DDoS attacks. (I assume it really can protect against DDoS because articles like How…
porton
  • 2,136
  • 2
  • 21
  • 28
5
votes
2 answers

How to use fail2ban to ban all php and cgi-bin requests

On daily basis I see Apache log full of requests initiated by different vulnerability scanner apps. Those hundreds of requests from usually same IP addresses not only makes the log dirty but also uses some server resources. As I do not have any PHP…
ssasa
  • 571
  • 5
  • 7
4
votes
1 answer

Fail2ban multiple actions

I am trying to create a jail for fail2ban, where upon a regex match I want to block the source IP from reaching either port 80 or 443 on my server. I've tried variations of this: action = iptables[name=HTTP, port=http, protocol=tcp] …
TSG
  • 1,580
  • 6
  • 26
  • 42
4
votes
0 answers

Fail2ban & nftables errors, IPs not banned

So I've been experimenting with nftables in CentOS 8 and things are going pretty well, but I'm having a weird problem with fail2ban. Fail2ban cannot ban IPs with nftables-multiport or nftables-allports. I'm seeing the following errors in…
b6-redacted
  • 41
  • 1
  • 4
4
votes
1 answer

fail2ban applying ban but is not blocking the connection

I have a fail2ban setup enabled for sshd on CentOS. It is reading the logs fine. Doing some testing with SSH failed logins from a remote server: Nov 23 20:51:52 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx Nov 23 20:51:55 new…
Zeno
  • 263
  • 2
  • 4
  • 15
1
2 3
9 10